Identification method of an entity

ABSTRACT

The present invention relates to a biometric identification method of an entity comprising computation of a matching value between biometric data of an entity u and reference biometric data u′, by application of a function F to said biometric data by performing a non-interactive, publicly verifiable computation method comprising: representation of said function in the form of an arithmetic circuit converted into a polynomial representation, and generation of keys, determination of matching value by evaluating the arithmetic circuit having the biometric data of the entity and the reference biometric data as inputs, generation of proof of correction of the computation execution of the matching values, verification of said received proof, representation of said function comprising encoding of an integer k&gt;1 of binary integers of a vector of a biometric datum on at least one input wire of the circuit, and the function F comprising at least m scalar products, if the divider m is equal to 2 or 3, evaluation of the circuit iteratively comprises computation of each of the m scalar products by means of N/km multiplication operators, storage and summation of m results of computations of said scalar products and if the divider m is greater than or equal to 4, evaluation of the circuit iteratively comprises computation of each of the m scalar products by alternatively using a first or a second sub-circuit to compute the sum of the scalar product of the values of the input wires of this sub-circuit and of a value stored in a storage memory of the other sub-circuit.

GENERAL TECHNICAL FIELD

The present invention relates to the field of identification of an entity, individual or object. More precisely, it relates to a biometric identification method in which comparison to reference biometric data is delegated to a remote device in terms of a publicly verifiable computation protocol.

STATE OF THE ART

Due to increasing miniaturization of digital computation systems, from now on there is a wide range of digital devices fitted with variable computational power, including the smart card, the supercomputer, the smartphone and the personal computer. In such a scope it can be interesting for a device fitted with limited computational power to delegate costly computations to a remote device fitted with greater computational power. Such delegation in particular has been made easier recently by the development of high-speed communications networks and an offer to outsourced computations to the cloud.

But such delegation of computations raises the problem of the confidence which can be accorded to computation results transmitted by a remote executing party. Computation errors can in fact occur, also due to technical problems independent of the will of the executing party, due to the fact of voluntary and malicious action.

In this way, considerable efforts have been made to develop a computation protocol, called verifiable computation, letting a remote executing party prove to the device having ordered computation that the latter was executed correctly. For a long time however, developed protocols have remained applicable to specific functions only, or else remained unusable in practice due to the substantial number of computations necessary for the ordering party to verify proof supplied by the executing party.

The Pinocchio protocol presented in the publication “Bryan Parno, Craig Gentry, Jon Howell, and Mariana Raykova, Pinocchio: Nearly Practical Verifiable Computation, in Proceedings of the IEEE Symposium on Security and Privacy, IEEE, 21 May 2013” was one of the first verifiable computation protocols for the executing party to verifiably compute the application of any function and for the ordering party to verify the associated proof in a computation time less than that necessary for making the computation itself, allowing the ordering party to effectively take advantage of delegation of computation despite excess costs linked to verification of the proof.

The Pinocchio protocol has the major disadvantage of needing substantial computational power on the part of the executing party. The production cost of computation proof by this protocol is in fact greater by several orders of magnitude than that of the computation itself.

The Pinocchio protocol is based on transcription of the function to be evaluated in the form of an arithmetic circuit and construction of the corresponding quadratic arithmetic program (QAP). The computation cost rises with the number of multipliers in this arithmetic circuit. Such a number can rapidly become large, for example in the case where the function comprises a loop whereof each iteration must be represented explicitly by its own operators in the circuit. This limits the practical use of such a protocol to evaluation of very simple functions.

This protocol was then improved via the Geppetto protocol, presented in the publication “Craig Costello, Cedric Fournet, Jon Howell, Markulf Kohlweiss, Benjamin Kreuter, Michael Naehrig, Bryan Parno, and Samee Zahur, Geppetto: Versatile Verifiable Computation, in Proceedings of the IEEE Symposium on Security and Privacy, IEEE, 18 May 2015”. This novel protocol of verifiable computation proposes cutting out the function to be evaluated into several sub-functions, optionally used several times for evaluation of the overall function, for example at each iteration of a loop. The proof of evaluation of this function can then be constructed from the less expensive proofs relative to evaluation of such sub-functions. The total arithmetic circuit can be substantially simplified relative to that of the Pinocchio protocol, considerably limiting the number of multipliers to be employed. The total production cost of the proof for the executing party is reduced relative to that of the Pinocchio protocol. The computation cost of a proof in terms of the Geppetto protocol continues to grow however with the number of multipliers necessary for representation of the function to be evaluated in the form of an arithmetic circuit. A bootstrapping technique has been introduced to improve the situation, but implementing this method degrades performance.

Many other derivatives of the Pinocchio protocol have been proposed, and there are varied applications in multiple technical fields. For example, the Cendrillon protocol presented in the publication “Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss and Bryan Parno, Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation, in 2016 IEEE Symposium on Security and Privacy”, relates to the electronic signing of documents, and the PhotoProof protocol, presented in the publication “Assa Naveh, Eran Tromer, PhotoProof: cryptographic image authentication for any set of permissible transformations, proc. IEEE Symposium on Security & Privacy (Oakland) 2016, 255-271, IEEE, 2016” ensures that a photograph has been modified only according to a set of admissible transformations and has not been falsified.

Within the scope of biometric identification it is necessary to compare a biometric fingerprint to a multitude of reference biometric fingerprints, in a sufficiently short period to be supported by the individual to be identified. Such comparison between two biometric fingerprints each represented in the form of a vector u, respectively u′, of N binary integers u_(i) or u′_(i), can be made by computing the scalar product u·u′ between these two vectors. The arithmetic circuit corresponding to such a scalar product is represented in FIG. 1. It then comprises at least N multipliers each taking on input an integer u_(i) and the corresponding integer u′_(i). Such a number of multipliers implies a number of computations by the protocols described hereinabove too great to be realized in real time, making such protocols inadequate to use in terms of a biometric identification method.

There is therefore a need for a biometric identification method for delegating to a remote entity comparison of biometrics fingerprints in terms of a protocol of verifiable computation, for a cost of computation, production and verification of proof comprised, for execution in real time.

PRESENTATION OF THE INVENTION

The present invention proposes according to a first aspect a biometric identification method of an entity, by a biometric identification system comprising a client device and a remote computation device, comprising:

-   -   computation of at least one matching value between at least one         biometric datum of the entity u and at least one reference         biometric datum u′, by application of a function F to said         biometric data, each of said data being a vector of N binary         integers u_(i) or u′, with 1≦i≦N, each integer being coded on n         bits, said function comprising a scalar product between a         biometric datum of the entity and a reference biometric datum,         said computation performing a non-interactive, publicly         verifiable computation method comprising steps of:         -   representation of said function in the form of an arithmetic             circuit comprising wires transporting values of the finite             prime field             _(q), with q a prime number, and connecting addition and             multiplication operators,         -   conversion of said arithmetic circuit into a polynomial             representation, QAP (Quadratic Arithmetic Program) or             multi-QAP,         -   generation of a public evaluation key and of a public             verification key as a function of said polynomial             representation,         -   obtaining by the remote computation device of the arithmetic             circuit and of the public evaluation key,         -   for each biometric datum of the entity, determination of at             least one matching value between said biometric datum and at             least one reference biometric datum by the remote             computation device by evaluating the arithmetic circuit             having as inputs the biometric datum of the entity and the             reference biometric datum,         -   for each determined matching value, generation by the remote             computation device of a proof of correction of the             computation execution of the matching value, so-called             generated proof, from said polynomial representation, the             public evaluation key and the result of the evaluation of             the arithmetic circuit,         -   transmission by the remote computation device of said             matching values and of said generated proofs to the client             device,         -   verification of said proofs received by the client device by             means of the public verification key,     -   identification of the entity by the client device as a function         of the matching values and of the result of said verification of         proofs,     -   characterized in that:     -   representation of said function comprises encoding an integer         k>1 of binary integers of a vector of a biometric datum on at         least one input wire of the circuit,     -   and the function F comprising at least m scalar products, m         being a divider of the length N of the biometric data vectors,         -   if the divider m is equal to 2 or 3,         -   the circuit comprises at least N/km multiplication operators             connected to the input wires of the circuit, a storage             memory, and at least one addition operator,         -   and evaluation of the circuit iteratively comprises             computation of each of the m scalar products by means of             said N/km multiplication operators, storage of m results of             computations of said scalar products in said storage memory             and summation of said results by means of said addition             operator,         -   if the divider m is greater than or equal to 4,         -   the circuit comprises at least one first computation             sub-circuit of scalar product comprising N/km first             multiplication operators connected to the input wires of the             circuit and a first storage memory, and a second computation             sub-circuit of scalar product comprising N/km second             multiplication operators connected to the input wires of the             circuit and a second storage memory, each of said             sub-circuit being also connected to an output of the storage             memory of the other sub-circuit,         -   and evaluation of the circuit iteratively comprises             computation of each of the m scalar products by using             alternatively the first or the second sub-circuit to compute             the sum of the scalar product of the values of the input             wires of this sub-circuit and of the value stored in the             storage memory of the other sub-circuit.

This lets the client device delegate computation of scalar products necessary for biometric identification of the entity, and verifies the exactitude of computations made by the remote device, all of this for moderate cost due to the reduced complexity of the circuits used to represent the function of scalar product. Such circuits in fact comprise around the order of k*m fewer multipliers than the circuit according to the state of the art.

The verification step of said received proofs can comprise batch verification of pairings.

In a first mode of operation, if the divider m of the length N of the biometric data vectors is equal to 1, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) where q is a prime number, G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T) and the arithmetic circuit being represented in the form of a QAP of the circuit Q=(t, V, W, Y) of size ρ and degree δ, with V={vi}, W={wi}, Y={yi}, 0≦i≦ρ,

and given I_(io)={1, . . . , θ} the set of indices corresponding to the input/output wires of the circuit and I_(mid)={θ+1, . . . , ρ} the set of indices of intermediate wires of the circuit not being input wires of the circuit,

-   -   the generation step of a public evaluation key and a public         verification key comprises:         -   generation of random variables r_(v), r_(w), s, α_(v),             α_(w), α_(y), β, γ in             _(q),         -   definition of coefficients r_(y)=r_(v)·r_(w), g_(v1)=g₁ ^(r)             ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁             ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) ,         -   generation of the public evaluation key EK_(F) equal to             (EK_(F1), EK_(F2)) where

${EK}_{F\; 1} = \begin{pmatrix} {\left\{ g_{v\; 1}^{v_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{w_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{y_{i}{(s)}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{v\; 1}^{\alpha_{v} \cdot {v_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{\alpha_{w} \cdot {w_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{a_{y} \cdot {y_{i}{(s)}}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{1}^{s^{i}} \right\}_{i \in {\lbrack{1,\delta}\rbrack}},\left\{ {g_{v\; 1}^{\beta \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta \cdot {y_{i}{(s)}}}} \right\}_{i \in I_{mid}}} \end{pmatrix}$ EK_(F 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ I_(mid)))

-   -   -   generation of the public verification key VK_(F) equal to             (VK_(F1), VK_(F2)) where:

VK_(F1)=(g ₁ ,{g _(v1) ^(v) ^(i) ^((s))}_(iε[1,θ]) ,{g _(y1) ^(y) ^(i) ^((s))}_(iε[1,θ]))

VK_(F2)=(g ₂ ,g ₂ ^(α) ^(v) ,g ₂ ^(α) ^(w) ,g ₂ ^(α) ^(y) ,g ₂ ^(γ) ,g ₂ ^(β·γ) ,g _(y2) ^(t(s)) ,{g _(w2) ^(w) ^(i) ^((s))}_(iε[1,θ]))

-   -   generation by the remote computation device of proof of         correction of the computation execution of a matching value         comprises, {c_(i)}_(iε[1,ρ]) being the set of values of the         circuit determined during the determination step of the matching         value:         -   determination of a polynomial h(x) such that p(x)=h(x)·t(x)             with p(x)=(v₀(x)+Σ_(i=1) ^(ρ)c_(i)v_(i)(x))·(w₀(x)+Σ_(i=1)             ^(ρ)c_(i)·w_(i)(x))−(y₀(x)+Σ_(i=1) ^(ρ)c_(i)·y_(i)(x)),         -   computation of the generated proof π=(π₁, π₂) with:

${\pi_{1} = \begin{pmatrix} {g_{v\; 1}^{v_{mid}{(s)}},g_{w\; 1}^{w_{mid}{(s)}},g_{y\; 1}^{y_{mid}{(s)}},g_{1}^{h{(s)}},} \\ {g_{v\; 1}^{\alpha_{v} \cdot {v_{mid}{(s)}}},g_{w\; 1}^{\alpha_{w} \cdot {w_{mid}{(s)}}},g_{y\; 1}^{\alpha_{y} \cdot {y_{mid}{(s)}}},} \\ {g_{v\; 1}^{\beta \cdot {v_{mid}{(s)}}},g_{w\; 1}^{\beta \cdot {w_{mid}{(s)}}},g_{y\; 1}^{\beta \cdot {y_{mid}{(s)}}}} \end{pmatrix}},{\pi_{2} = \left( g_{w\; 2}^{w_{mid}{(s)}} \right)}$

where:

v _(mid)(x)=Σ_(iεI) _(mid) c _(i) ·v _(i)(x),w _(mid)(x)=Σ_(iεI) _(mid) c _(i) ·w _(i)(x) and

y _(mid)(x)=Σ_(iεI) _(mid) c _(i) ·y _(i)(x),

-   -   and, wherein said proofs received by the client device being         equal to (π_(r1), π_(r2)) with π_(r1) in the form of: (g_(v1)         ^(V) ^(mid) , g_(w1) ^(W) ^(mid) , g_(y1) ^(Y) ^(mid) , g₁ ^(H),         g_(v1) ^(V′) ^(mid) , g_(w1) ^(W′) ^(mid) , g_(y1) ^(Y′) ^(mid)         , g₁ ^(Z)) and π_(r2) in the form g_(w2) ^(w) ^(mid) ,         verification of a received proof comprises performing the         following equality tests:     -   e(g_(v1) ^(v) ^(o) ^((s))·g_(v1) ^(v) ^(io) ^((s))·g_(v1) ^(V)         ^(mid) , g_(w2) ^(w) ^(o) ^((s))·g_(w2) ^(w) ^(io) ^((s))·g_(w2)         ^(W) ^(mid) )=e(g₁ ^(H), g_(y2) ^(t(s)))·e(g_(y1) ^(y) ^(o)         ^((s))·g_(y1) ^(y) ^(io) ^((s))·g_(y1) ^(Y) ^(mid) , g₂),     -   e((g_(v1) ^(V′) ^(mid) )^(d) ¹ ·(g_(w1) ^(W′) ^(mid) )^(d) ²         ·(g_(y1) ^(Y′) ^(mid) )^(d) ³ , g₂)=e((g_(v1) ^(V) ^(mid) )^(d)         ¹ , g₂ ^(α) ^(v) )·e((g_(w1) ^(W) ^(mid) )^(d) ² , g₂ ^(α) ^(w)         )·e((g_(y1) ^(Y) ^(mid) )^(d) ³ , g₂ ^(α) ^(y) ),     -   e((g₁ ^(Z), g₂ ^(γ))=e(g_(v1) ^(V) ^(mid) ·g_(w1) ^(W) ^(mid)         ·g_(y1) ^(Y) ^(mid) , g₂ ^(β·γ))     -   where g_(v1) ^(v) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(v1) ^(v) ^(i)         ^((s)))^(c) ^(i) , g_(w1) ^(w) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(w1)         ^(w) ^(i) ^((s)))^(c) ^(i) , and g_(y1) ^(y) ^(io)         ^((s))=Π_(i=1) ^(θ)(g_(y1) ^(y) ^(i) ^((s)))^(c) ^(i) and (d₁,         d₂, d₃) elements of         _(q) on λ bits with λ a security parameter.

Verification of the proof of computation is accelerated relative to the Pinocchio protocol, by way of simultaneous verification of several pairings.

In a second mode of operation, if the divider m of the length N of the biometric data vectors is greater than or equal to 2, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) where q is a prime number, G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T), the arithmetic circuit being represented in the form of a multi-QAP Q=({B_(b)}_(bε[1,l]),t,V,W,Y) of size ρ and degree δ, with {B_(b)}_(bε[1,l]) a set of l banks B_(b) of Q used in computation of the function F, and V={vi}, W={wi}, Y={yi} with 0≦i≦ρ,

-   -   the generation step of a public evaluation key and a public         verification key comprises:     -   generation of random variables s,{(α_(bv), α_(bw), α_(by),         β_(b), γ_(b))}_(bε[1,l]), r_(v), r_(w) in         _(q),     -   definition of the following coefficients: r_(y)=r_(b)·r_(w),         g_(v1)=g₁ ^(r) ^(v) , g_(v2)=g₂ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w)         , g_(w2) ^(r) ^(w) =g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and         g_(y2)=g₂ ^(r) ^(y) ,     -   generation of the public evaluation key EK_(F) equal to:

({EK_(Fb)}_(bε[1,l]) ,{g ₁ ^(s) ^(i) }_(iε[1,δ]) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)))

where each public bank key EK_(Fb) is equal to (EK_(Fb1), EK_(Fb2)) with:

${EK}_{{Fb}\; 1} = \begin{pmatrix} {\begin{Bmatrix} {g_{v\; 1}^{v_{i}{(s)}},g_{w\; 1}^{w_{i}{(s)}},g_{y\; 1}^{y_{i}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v_{i}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w_{i}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y_{i}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y_{i}{(s)}}}} \end{Bmatrix}_{i \in B_{b}},} \\ {g_{v\; 1}^{\alpha_{bv} \cdot {t{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {t{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {t{(s)}}},{g_{v\; 1}^{\beta_{b} \cdot {t{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {t{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {t{(s)}}}}} \end{pmatrix}$   EK_(Fb 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ β_(b)), g_(w 2)^(α_(bw) ⋅ t(s)))

-   -   generation of the public verification key VK_(F) equal to:         ({VK_(Fb)}_(bε[1,l]), g₁, g₂, g_(y2) ^(t(s))) where each public         bank key VK_(Fb) is equal to (g₂ ^(α) ^(bv) , g₂ ^(α) ^(bw) , g₂         ^(α) ^(by) , g₂ ^(γ) ^(b) , g₂ ^(β) ^(b) ^(·γ) ^(b) )     -   determination of a matching value comprises, function F being         divided into ω sub-functions F₁, . . . F_(ω) and σ=((f_(l),         (T_(l1), . . . T_(ll))))_(lε[1,L]) being a scheduling of length         L with f_(l) ε{1, . . . , ω}, evaluation of each sub-function         F_(ω) from the biometric data of the entity and the reference         biometric data and determination of the values i of the circuit,     -   generation by the remote computation device of proof of         correction of the computation execution of a matching value         comprises, for each l={1, . . . , L}:         -   for each bank B_(b) such that bεΛ, with Λ⊂[1,l] the set of             indices bε[1,l] such that T_(lb)≠0,Γ=U_(bεΛ)B_(b),             {c_(j)}_(jεB) _(b) an instance of the bank B_(b),             Δ={c_(i)}_(iεΓ) the set of values of Γ:             -   generation of pledging random variables in                 _(q): o_(b)=(o_(bv), o_(bw), o_(by)),             -   computation of a digest D_(b) equal to (D_(b1),D_(b2))                 from the instance of the bank of variables B_(b): B_(b)                 ^((T) ^(lb) ⁾={c_(i)εΔ}_(iεB) _(b) and pledging random                 variables o_(b) and such that:                 -   if the bank B_(b) is an input/output bank:                 -    D_(b1)=(g_(v1) ^(v) ^((b)) ^((s)), g_(y1) ^(y)                     ^((b)) ^((s))) and D_(b2)=(g_(w2) ^(w) ^((b))                     ^((s))),                 -   if the bank B_(b) is not an input/output bank:

$D_{b\; 1} = \begin{pmatrix} {g_{v\; 1}^{v^{(b)}{(s)}},g_{w\; 1}^{w^{(b)}{(s)}},g_{y\; 1}^{y^{(b)}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v^{(b)}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w^{(b)}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y^{(b)}{(s)}}}} \\ {g_{v\; 1}^{\beta_{b} \cdot {v^{(b)}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w^{(b)}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y^{(b)}{(s)}}}} \end{pmatrix}$ D_(b 2) = (g_(w 2)^(w^((b))(s)))

-   -   -   -   -   with:

v ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·v _(i)(s)+o _(bv) ·t(s),

w ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·w _(i)(s)+o _(bw) ·t(s),

y ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·y _(i)(s)+o _(by) ·t(s),

-   -   -   determination of a polynomial h^((l))(x) such that             p^((l))(x)=h^((l))(x)·t(x) with             p^((l))(x)=(v₀(x)+Σ_(iεΓ)c_(i)·v_(j)(x)+Σ_(bεΛ)o_(bv)·t(x))·(w₀(x)+Σ_(iεΓ)c_(i)·w_(j)(x)+Σ_(bεΛ)o_(bw)·t(x))−(y₀(x)+Σ_(iεΓ)c_(i)·y_(j)(x)+E_(bεΛ)o_(by)·t(x))         -   computation of a proof element π^((l)) equal to g₁ ^(h)             ^((l)) ^((s)),

    -   and, wherein said proofs received by the client device being of         the form D₁ ⁽¹⁾, . . . , D_(l) ⁽¹⁾, π⁽¹⁾, . . . , D₁ ^((L)), . .         . , D_(l) ^((L)), π^((L)) where for all lε{1, . . . , L} and         bε{1, . . . ,l}:

D_(b)^((l)) = ((g_(v 1)^(V_(b)^((l))), g_(w 1)^(W_(b)^((l))), g_(y 1)^(Y_(b)^((l))), g_(v 1)^(V_(b)^(′ (l))), g_(w 1)^(W_(b)^(′ (l))), g_(y 1)^(Y_(b)^(′ (l))), g₁^(Z_(b)^((l)))), (g_(w 2)^(W_(b)^((l)))))

and π^((l))=g₁ ^(H) ^((l)) , verification of a received proof (E8) comprises:

-   -   verification of L·l digests, for lε{1, . . . , L} and bε{1, . .         . , l} comprising performing the following equality tests:

e(g_(v 1)^(V_(b)^(′ (l))), g₂^(α_(bv))) = e(g_(v 1)^(V_(b)^((l))), g₂) e(g_(w 1)^(W_(b)^(′(l))), g₂^(α_(bw))) = e(g_(w 1)^(W_(b)^((l))), g₂) e(g_(y 1)^(Y_(b)^(′ (l))), g₂^(α_(by))) = e(g_(y 1)^(Y_(b)^((l))), g₂) e(g₁^(Z_(b)^((l))), g₂^(γ_(b))) = e(g_(v 1)^(V_(b)^((l))) ⋅ g_(w 1)^(W_(b)^((l))) ⋅ g_(y 1)^(Y_(b)^((l))), g₂^(β_(b) ⋅ γ_(b)))

-   -   verification of L proofs comprising for lε{1, . . . , L}         performing the following equality test:

${e\left( {{\prod\limits_{b = 1}^{}\left( g_{v\; 1}^{V_{b}^{(l)}} \right)},{\prod\limits_{b = 1}^{}\left( g_{w\; 2}^{W_{b}^{(l)}} \right)}} \right)} = {{e\left( {g_{1}^{H^{(l)}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{b = 1}^{}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)},g_{2}} \right)}}$

Verification of the proof of computation is accelerated relative to the Geppetto protocol, by way of simultaneous verification of several pairings.

In a third mode of operation, if the divider m of the length N of the biometric data vectors is greater than or equal to 2, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) where q is a prime number G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T), the arithmetic circuit being represented in the form of a multi-QAP Q=({B_(b)}_(bε[1,l]), t,V,W,Y) of size ρ and degree δ, with {B_(b)}_(bε[1,l)] a set of l banks B_(b) of Q used in computation of the function F, and V={vi}, W={wi}, Y={yi} with 0≦i≦ρ,

-   -   generation step of a public evaluation key and a public         verification key comprises:         -   generation of random variables s, {(α_(bv), α_(bw), α_(by),             β_(b), γ_(b))}_(bε[1,l]), r_(v), r_(w) in             _(q),         -   definition of the following coefficients: r_(y)=r_(v)r·_(w),             g_(v1)=g₁ ^(r) ^(v) , g_(v2)=g₂ ^(r) ^(v) , g_(w1)=g₁ ^(r)             ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and             g_(y2)=g₂ ^(r) ^(y) ,         -   generation of the public evaluation key EK_(F) equal to:

({EK_(Fb)}_(bε[1,l]) ,{g ₁ ^(s) ^(i) }_(iε[1,δ]) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)) ,g _(v2) ^(t(s)) ,g _(w2) ^(t(s)) ,g _(y2) ^(t(s)))

where each public bank key EK_(Fb) is equal to (EK_(Fb1), EK_(Fb2)) with:

${EK}_{{Fb}\; 1} = \begin{pmatrix} {\begin{Bmatrix} {g_{v\; 1}^{v_{i}{(s)}},g_{w\; 1}^{w_{i}{(s)}},g_{y\; 1}^{y_{i}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v_{i}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w_{i\;}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y_{i}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y_{i}{(s)}}}} \end{Bmatrix}_{i \in B_{b}},} \\ {g_{v\; 1}^{\alpha_{bv} \cdot {t{(s)}}},g_{w\; 1}^{\alpha_{bw}{\cdot {t{(s)}}}},g_{y\; 1}^{\alpha_{by} \cdot {t{(s)}}},g_{v\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{w\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{y\; 1}^{\beta_{b} \cdot {t{(s)}}}} \end{pmatrix}$      EK_(Fb 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ B_(b)), g_(w 2)^(α_(bw) ⋅ t(s)))

-   -   generation of the public verification key VK_(F) equal to:         ({VK_(Fb)}_(bε[1,l]), g₁, g₂, g_(y2) ^(t(s))) where each public         bank key VK_(Fb) is equal to (g₂ ^(α) ^(bv) , g₂ ^(α) ^(bw) , g₂         ^(α) ^(by) , g₂ ^(γ) ^(b) , g₂ ^(β) ^(b) ^(·γ) ^(b) ),     -   determination of a matching value comprises, function F being         divided into ω sub-functions F₁, . . . , F_(ω) and σ=((f_(l),         (T_(l1), . . . , T_(ll))))_(lε[1,L]) being a scheduling of         length L with f_(l)ε{1, . . . , ω}, evaluation of each         sub-function F_(ω) from the biometric data of the entity and the         reference biometric data and determination of the values of the         circuit,     -   generation by the remote computation device of proof of         correction of the computation execution of a matching value         comprises, for each l={1, . . . , L}::         -   for each bank B_(b) such that bεΛ, with Λ⊂[1,l] the set of             indices bε[1,l] such that T_(lb)≠0, Γ=U_(bεΛ)B_(b),             {c_(j)}_(jε) _(B) an instance of the bank B_(b),             Δ={c_(i)}_(iεΓ) the set of values of r:             -   generation of pledging random variables in                 _(q): o_(b)=(o_(bv), o_(bw), o_(by)),             -   computation of a digest D_(b) equal to (D_(b1),D_(b2))                 from the instance of the bank of variables B_(b): B_(b)                 ^((T) ^(lb) ⁾={c_(i)εΔ}_(iεB) _(b) and pledging random                 variables O_(b) and such that:                 -   if the bank B_(b) is an input/output bank:                 -   D_(b1)=(g_(v1) ^(v) ^((b)) ^((s)), g_(y1) ^(v)                     ^((b)) ^((s))) and D_(b2)=(g_(w2) ^(w) ^((b))                     ^((s))).                 -   if the bank B_(b) is not an input/output bank:

$D_{b\; 1} = \begin{pmatrix} {g_{v\; 1}^{v^{(b)}{(s)}},g_{w\; 1}^{w^{(b)}{(s)}},g_{y\; 1}^{y^{(b)}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v^{(b)}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w^{(b)}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y^{(b)}{(s)}}}} \\ {g_{v\; 1}^{\beta_{b} \cdot {v^{(b)}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w^{(b)}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y^{(b)}{(s)}}}} \end{pmatrix}$ D_(b 2) = (g_(w 2)^(w^((b))(s)))

-   -   -   -   -   with:

v ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·v _(i)(s)+o _(bv) ·t(s),

w ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·w _(i)(s)+o _(bw) ·t(s),

y ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·y _(i)(s)+o _(by) ·t(s),

-   -   -   determination of a polynomial h^((l))(x) such that             p^((l))(x)=h^((l))(x)·t(x) with             p^((l))(x)=(v₀(x)+Σ_(iεΓ)c_(i)·v_(j)(x)+Σ_(bεΛ)o_(bv)·t(x))·(w₀(x)+Σ_(iεΓ)c_(i)·w_(j)(x)+Σ_(bεΛ)o_(bw)·t(x))−(y₀(x)+Σ_(iεΓ)c_(i)·y_(j)(x)+E_(bεΛ)o_(by)·t(x))         -   computation of a proof element π^((l)) equal to g₁ ^(h)             ^((l)) ^((s)),

    -   and, wherein said proofs received by the client device being of         the form D₁ ⁽¹⁾, . . . , D_(l) ⁽¹⁾, π⁽¹⁾, . . . , D₁ ^((L)), . .         . , D_(l) ^((L)), π^((L)) where for all lε{1, . . . , L} and         bε{1, . . . ,l}:

D_(b)^((l)) = ((g_(v 1)^(V_(b)^((l))), g_(w 1)^(W_(b)^((l))), g_(y 1)^(Y_(b)^((l))), g_(v 1)^(V_(b)^(′ (l))), g_(w 1)^(W_(b)^(′ (l))), g_(y 1)^(Y_(b)^(′ (l))), g₁^(Z_(b)^((l)))), (g_(w 2)^(W_(b)^((l)))))

and π^((l))=g₁ ^(H) ^((l)) , verification of a received proof comprises, given a correction parameter λ:

-   -   selection of a random vector (d₁, . . . , d_(3·l)) of elements         of size λ,     -   batch verification of L·l digests comprising performing l times         the following equality tests, for bε{1, . . . , l}:

${{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{v\; 1}^{V_{b}^{\prime \; {(l)}}} \right)^{d_{l}}},g_{2}^{\alpha_{bv}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\left( g_{w\; 1}^{W_{b}^{\prime \; {(l)}}} \right)^{d_{L + l}}},g_{2}^{\alpha_{bw}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\left( g_{y\; 1}^{Y_{b}^{\prime \; {(l)}}} \right)^{d_{{2 \cdot L} + l}}},g_{2}^{\alpha_{by}}} \right)}} = {e\left( {{\prod\limits_{l = 1}^{L}{\left( g_{v\; 1}^{V_{b}^{(l)}} \right)^{d_{l}} \cdot {\prod\limits_{l = 1}^{L}{\left( g_{w\; 1}^{W_{b}^{(l)}} \right)^{d_{L + 1}} \cdot {\prod\limits_{l = 1}^{L}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{{2 \cdot L} + l}}}}}}},g_{2}} \right)}$ $\mspace{20mu} {{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{1}^{Z_{b}^{(l)}} \right)^{d_{l}}},g_{2}^{\gamma_{b}}} \right)} = {e\left( {{\prod\limits_{l = 1}^{L}\left( {g_{v\; 1}^{V_{b}^{(l)}} \cdot g_{w\; 1}^{W_{b}^{(l)}} \cdot g_{y\; 1}^{Y_{b}^{(l)}}} \right)^{d_{l}}},g_{2}^{\beta_{b} \cdot \gamma_{b}}} \right)}}$

-   -   batch verification of L proofs comprising performing the         following equality test:

${\prod\limits_{l = 1}^{L}\; {e\left( {{\prod\limits_{b = 1}^{}\; \left( g_{v\; 1}^{V_{b}{(l)}} \right)^{d_{l}}},{\prod\limits_{b = 1}^{}\; \left( g_{w\; 2}^{W_{b}{(l)}} \right)}} \right)}} = {{e\left( {{\prod\limits_{l = 1}^{L}\; \left( g_{1}^{H^{(l)}} \right)^{d_{l}}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\; {\prod\limits_{b = 1}^{}\; \left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{l}}}},g_{2}} \right)}}$

This makes verification of a proof even faster due to batch verification of digests of the proof.

Identification of the entity can comprise comparison of the matching values with a predetermined threshold.

Function F can comprise comparison of the result of the scalar product between said biometric data of the entity and said reference biometric data with a predetermined threshold.

Such comparison to a threshold decides if the compared biometric data are sufficiently close to conclude successful identification of the entity to be identified.

Encoding of k binary integers u_(i) or u′_(i) on an input wire of an j^(th) multiplication operator, 1≦j≦N/k, is equal to

$E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}(u)$ or $E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}\left( u^{\prime} \right)$

with 1≦z≦m, and is given by the formula:

${E_{k}^{({{{({j - 1})}k} + 1})}(x)} = {{\sum\limits_{i = 1}^{k}{2^{ɛ_{i}} \cdot x_{{{({j - 1})}k} + i}}} = {{2^{ɛ_{1}} \cdot x_{{{({j - 1})}k} + 1}} + \ldots + {2^{ɛ_{k}} \cdot x_{{{({j - 1})}k} + k}}}}$

with ε₁, . . . , ε_(k) predetermined integers.

Several integers of the biometric data can be encoded on each input wire, reducing the number of multipliers necessary for computation of the scalar product between a biometric datum of the entity and a reference biometric datum.

According to a second aspect, the invention relates to a computer program product comprising code instructions for execution of a method according to the first aspect when this program is executed by a processor.

According to a third aspect, the invention relates to a biometric identification system comprising a client device and a remote computation device characterized in that said client device and said remote computation device each comprise a processor, an interface and a memory for performing the steps of the identification method according to the first aspect.

Such computer program product and system have the same advantages as those mentioned for the method according to the first aspect.

PRESENTATION OF THE FIGURES

Other characteristics and advantages of the present invention will emerge from the following description of a preferred embodiment. This description will be given in reference to the appended drawings, in which:

FIG. 1 illustrates an arithmetic circuit corresponding to naive implementation of a scalar product for biometric identification of an entity;

FIG. 2 illustrates an identification system according to an embodiment of the invention;

FIG. 3 is a diagram showing an implementation of an identification method according to the invention;

FIGS. 4a and 4b illustrate an arithmetic circuit for biometric identification of an entity according to a first mode of operation of the invention;

FIGS. 5a and 5b illustrate an example implementation of the circuit of FIG. 4 for N=3000, n=8, q=256, k=3;

FIGS. 6a to 6c illustrate a arithmetic circuit for biometric identification of an entity according to a second mode of operation of the invention;

FIGS. 7a and 7b illustrate an arithmetic circuit for biometric identification of an entity according to a third mode of operation of the invention;

DETAILED DESCRIPTION

The present invention relates to implementing a biometric identification method of an entity 1 by an identification system 2 comprising a client device 3 and a remote computation device 4 capable of being connected together by a communications network 5, as represented in FIG. 2. Such an entity can be an individual or else an object having biometric data such as a biometric passport.

The client device and the remote computation device can each comprise a random access memory and internal storage means such as rewritable non-volatile memory (flash memory or EEPROM memory) and processing means comprising a processor. They can also comprise an interface for dialoguing with each other, of wired type such as an Ethernet link, or wireless such as a Wifi or Bluetooth connection.

The aim of this method carried out is to allow the device to delegate to the remote computation device the computations necessary for biometric identification of the entity to be identified, so that the computations made by the remote computation device are publicly verifiable, all this happening over a sufficiently short period to be acceptable in terms of an identification method.

For conducting such biometric identification the client device acquires at least one biometric datum of the entity to be identified u. To identify the entity, this at least one biometric datum u must be compared to one or more reference biometric data u′, stored in advance.

By way of example, such biometric data can be fingerprints, DNA, voice or even iris images or venous networks. Each of these biometric data is a vector of N binary integers u_(i) or u′_(i) with 1≦i≦N. Each integer u_(i) or u′_(i) is coded on n bits. For example in the case of a face biometric datum, there can typically be N=3000 and n=8.

The client device can comprise or be connected to a device for capturing such biometric data, such as a fingerprint reader, a microphone, or an iris-imaging device. This capture device can be employed to acquire the biometric datum u acquired for the entity 1. The reference biometric data u′ can be stored in the storage means of the client device or of the remote computation device.

The identification method can comprise the steps described hereinbelow in reference to FIG. 3.

First of all at least one matching value can be computed F1 between at least one biometric datum of the entity u and at least one reference biometric datum u′, by application of a function F, so-called correlation function, to said biometric data. Function F comprises a scalar product between a biometric datum of the entity and a reference biometric datum. Such a scalar product in fact computes a score S=Σ_(j=1) ^(N)(u_(j)·u_(j)′) which is all the higher since the data compared are similar. Such a score can be used as matching value. To determine if an attempt at identification has succeeded, the matching values can be compared to a predetermined threshold T. Alternatively, function F can comprise the comparison of the result of the scalar product between the biometric data of the entity u and the reference biometric data u′, i.e. of the score S, to this predetermined threshold T. Computation of the matching value can comprise computation of the value (S−T) and the matching value coming from such computation can be a sign bit for example taking the value 1 if S−T>0, the value 0 if not.

To ensure the quality of the result obtained, computation of such a matching value F1 employs a non-interactive, publicly verifiable computation method. Such a method generally being divided into three phases:

-   -   representation of the function F to be evaluated in the form of         a system constraints represented in the form of an arithmetic         circuit.     -   transformation of this arithmetic circuit into polynomial         representation called “Quadratic Arithmetic Programs”         (abbreviated to QAP below).     -   generation of a proof of correction of the computation execution         from the QAP.

The non-interactive, publicly verifiable computation method carried out more precisely first comprises a representation step E1 of said function F in the form of an arithmetic circuit. Such an arithmetic circuit comprises wires transporting values of the finite prime field Zq, with q a prime number, and connecting addition and multiplication operators. Typically the size q of the values of the circuit wires can be equal to 256 bits.

The arithmetic circuit is then converted E2 into a polynomial representation, QAP (“Quadratic Arithmetic Program”) or multi-QAP. Such representations and the way to attain them from an arithmetic circuit are described in more detail in the publications cited hereinabove on the existing Pinocchio and Geppetto protocols.

Next a public evaluation key and a public verification key are generated E3 as a function of said polynomial representation. The remote computation device then obtains E4 the arithmetic circuit and the public evaluation key.

The representation steps in the form of an arithmetic circuit E1, conversion into a polynomial representation E2 and generation of keys E3 can be conducted by the client device itself. Alternatively these steps can be delegated to a trusted third party. Since such steps are independent of the value of the biometric data to be compared, they can be conducted once only, prior to comparisons of biometric data described hereinbelow, and do not need to be repeated as long as the format of the biometric data to be compared does not change.

For each biometric datum of the entity at least one matching value between said biometric datum and at least one reference biometric datum is then determined E5 by the remote computation device by evaluating the arithmetic circuit with the biometric data of the entity and the reference biometric datum as inputs.

For each determined matching value the remote computation device generates E6 a proof of correction of the computation execution of the matching value, so-called generated proof, from said polynomial representation, the public evaluation key and the result of evaluation of the arithmetic circuit. It then transmits E7 the matching values and said generated proofs to the client device.

The latter verifies E8 the received proof by means of the public verification key. The verification step of said received proofs E8 can comprise or not batch verification of pairings.

Finally the entity is identified F2 by the client device as a function of the matching values and the result of said verification of proofs.

The integers u_(i) and u_(i)′ constituting the data of the entity and the reference data are usually encoded on a number of bits n far less than the size q of the values of wires of the circuit. By way of example the number of bits n can be equal to 8 bits and the size q can be equal to 256 bits. To limit the number of multipliers necessary for representation of the function F in the form of an arithmetic circuit, several integers u respectively u_(i)′ are encoded on each input wire of the arithmetic circuit. Representation of said function E1 comprises encoding an integer k>1 of binary integers of a vector of a biometric datum on at least one input wire of the circuit. In practice, encoding E_(k) ^(((j−1)k+1))(u) or E_(k) ^(((j−1)k+1))(u′) of k binary integers u_(i) or u′_(i) on an input wire of a j^(th) multiplication operator, 1≦j≦N/k, can be defined by the formula:

${E_{k}^{({{{({j - 1})}k} + 1})}(x)} = {{\sum\limits_{i = 1}^{k}{2^{ɛ_{i}} \cdot x_{{{({j - 1})}k} + i}}} = {{2^{ɛ_{1}} \cdot x_{{{({j - 1})}k} + 1}} + \ldots + {2^{ɛ_{k}} \cdot x_{{{({j - 1})}k} + k}}}}$

with ε₁, . . . , ε_(k) predetermined integers.)

A multiplier having on input E_(k) ^(((j−1)k+1))(u) and E_(k) ^(((j−1)k+1))(u′) has on its output wire the product of encodings of successive k binary integers u_(i) or u′_(i) coded on its input wires. This product is noted E_(u·u′,k) ^(((j−1)k+1))=E_(k) ^(((j−1)k+1))(u). E_(k) ^(((j−1)k+1))(u′). By way of example, for j=1, there is: E_(u·u′,k) ⁽¹⁾=2^(2·ε) ¹ ·u₁·u₁′+2^(ε) ² ·(u₁·u₂′+u₂·u₁′)+2^(2·ε) ² ·u₂·u₂′+ . . . +2^(2·ε) ^(k) ·u_(k)·u_(k)′

To further reduce the number of multipliers of the arithmetic circuit, the method as carried out also proposes splitting computation of the scalar product of the biometric datum of the entity u and of the reference biometric datum u′ of lengths N into several computations of scalar products of vectors of lesser size coming from splitting of the vectors u and u′. The combination of the results of these scalar products produces the score S corresponding to the result of the scalar product of u and u′.

For this, function F comprising at least m scalar products, function F can be decomposed into at least m occurrences of sub-functions, m being a divider m of the length N of the biometric data vectors. Only the split sub-functions are represented by their own sub-circuit in the arithmetic circuit, reducing the number of multipliers of the circuit. To combine decomposition of the scalar product of u and u′ into m scalar sub-products, and coding of k integers on each input wire of the circuit, it is possible to select k such that k divides m. The scalar product of u and u′ can be decomposed into m scalar sub-products of vectors of length N/km. The sum of the results of these m scalar products produces an encoded score g defined by the following formula:

$\begin{matrix} {\overset{\sim}{S} = {\sum\limits_{j = 1}^{N/k}E_{{u \cdot u^{\prime}},k}^{({{{({j - 1})}k} + 1})}}} \\ {= {\sum\limits_{j = 1}^{N/k}\begin{pmatrix} {2^{2 \cdot ɛ_{1}}{{\cdot \left( {u_{{{({j - 1})}k} + 1} \cdot u_{{{({j - 1})}k} + 1}^{\prime}} \right)} +}} \\ {{2^{ɛ_{2}} \cdot (\ldots)} + \ldots + {2^{2 \cdot ɛ_{k}} \cdot \left( {u_{jk} \cdot u_{jk}^{\prime}} \right)}} \end{pmatrix}}} \end{matrix}\quad$

and of the following form if the expression hereinabove is deployed and if the terms are gathered by power of 2: {tilde over (S)}=2^(2·ε) ¹ ·a₁+2^(2·ε) ² ·a₂′+2^(2·ε) ² ·a₂+2^(2·ε) ³ ·a₃′+ . . . +2^(2·ε) ^(k) . a_(k) with a_(i) the terms at 2^(2·ε) ^(i) gathering the products of integers u_(i) and u′_(i) of the same indices useful for computing the scalar product and u and u′, and with a_(i)′ the terms at 2^(ε) ² , . . . , 2^(ε) ^(k) gathering the remaining products, cross products of integers u_(i) and u′_(j) of different indices not useful for computation of the scalar product of u and u′.

To extract the score S from its encoded version {tilde over (S)}, it is possible to extract the k sub-terms corresponding to the coefficients 2^(2·ε) ¹ , . . . , 2^(2·ε) ^(k) (i.e., the elements a₁, a₂, . . . , a_(k)), then add them.

The paragraphs hereinbelow present the specific features of the method for different ranges of value of the divider m. m can be determined by making a compromise between the computational powers of the client device and the remote computation device as well especially as memories.

In a first mode of operation in which the divider m is equal to 1, function F can be put in the form of the circuit represented in FIGS. 4a and 4b . Such a circuit comprises N/k input multipliers each taking on input E_(k) ^(((j−1)k+1))(u) and E_(k) ^(((j−1)k+1))(u′) with 1≦j≦N/k. In FIGS. 4a and 4b these multipliers are noted r_(j) and the input wires are numbered from 1 to 2N/k. The N/k output wires of the multipliers carry the values E_(u·u′,k) ^(((j−1)k+i)) whereof the sum is equal to the encoded score {tilde over (S)} described hereinabove. The circuit comprises an additional output multiplier, numbered r_(N/k+1), necessary for conversion of the circuit in the form of QAP. This multiplier multiplies the output of the scalar product by 1 so as not to modify the encoded score {tilde over (S)}. Finally, a split gate is employed to extract the coefficients a_(i) with 1≦i≦k corresponding to the terms of the scalar product u·u′. The summation of these terms first split from the encoded score then reconstituted by multiplication by powers of two and added produces the score S. FIGS. 4a and 4b correspond to an execution in which the score is compared to the predetermined threshold T. The value (S−T) is computed and provided on input with a second split gate to extract the sign bit indicating the result of the comparison. More precisely, hereinbelow split gate means an arithmetic gate which splits an integer bit by bit. Given an integer aε

_(q), as is known to keep on τ bits, the split gate contains an input wire (containing the integer a) and τ output wires. In terms of elementary arithmetic constraints, its definition is given for example in the cited article Pinocchio, paragraph 3.2. It is recalled here by way of indication. It is clear that c₀ is the input wire and c₁, . . . , c_(τ) the output wires. The arithmetic circuit of the gate so-called “split gate” is defined as follows:

-   -   concatenation of the bits on output is equal to the input

${\sum\limits_{i = 1}^{\tau}{2^{j - 1} \cdot c_{j}}} = c_{0}$

-   -   each output wire contains a Boolean value (0 or 1):

∀iε{1, . . . ,τ}:c _(j)·(1−c _(j))=0

When a “split gate” gate is used within a circuit, the integer τ is determined as an achieved upper limit given the size of the circuit inputs and all the arithmetic gates located between the inputs and the split gate.

An example of implementation is represented in FIGS. 5a and 5b for N=3000, n=8, q=256, k=3. In such an mode of operation, the following values can be used for the parameters ε_(i):ε₁=0, ε₂=26, ε₃=78.

In a second mode of operation in which the divider m is equal to 2 or 3, function F can be decomposed into a function F1 computing a scalar sub-product between two vectors of size N/km, to be used m times, and a function F2 computing the sum of m values, corresponding to a coded score, and performing extraction of the corresponding score equal to the preferred scalar product.

As represented in FIGS. 6a to 6c , the corresponding circuit comprises at least N/km multiplication operators connected to the input wires of the circuit, a storage memory, and at least one addition operator, and evaluation of the circuit iteratively comprises computation of each of the m scalar products by means of said N/km multiplication operators, storage of the m results of computations of said scalar products in said storage memory and summation of said results by means of said addition operator.

With F₁ and F₂ defined as such, evaluation of function F corresponds to m applications of function F₁ followed by application of function F₂. The circuit represented in FIGS. 6a to 6c comprises N/km input multipliers each taking on input, during the iteration z of the function F1,

$E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}(u)$ and $E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}\left( u^{\prime} \right)$

with 1≦j≦N/km. In FIGS. 6a to 6c these multipliers are noted r_(j) and the input wires are numbered from 1 to 2 N/km.

The m applications of function F₁ compute the coded sub-scores {tilde over (S)}_(z), for zε{1, . . . , m}:

${\overset{\sim}{S}}_{z} = {\sum\limits_{j = 1}^{{N/k} \cdot m}E_{{u \cdot u^{\prime}},k}^{({{{{({z - 1})} \cdot {({N/m})}} + {({j - 1})}}{{\cdot k} + 1}})}}$

By way of example, for z=1, there is:

$\begin{matrix} {{\overset{\sim}{S}}_{1} = {\sum\limits_{j = 1}^{{N/k} \cdot m}E_{{u \cdot u^{\prime}},k}^{({{{({j - 1})}k} + 1})}}} \\ {= {\sum\limits_{j = 1}^{{N/k} \cdot m}\begin{pmatrix} {2^{2 \cdot ɛ_{1}}{{\cdot \left( {u_{{{({j - 1})}k} + 1} \cdot u_{{{({j - 1})}k} + 1}^{\prime}} \right)} +}} \\ {{2^{ɛ_{2}} \cdot (\ldots)} + \ldots + {2^{2 \cdot ɛ_{k}} \cdot \left( {u_{jk} \cdot u_{jk}^{\prime}} \right)}} \end{pmatrix}}} \end{matrix}\quad$

During the iteration z the N/km output wires of the multipliers thus carry the values

$E_{{u \cdot u^{\prime}},k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}$

whereof the sum is equal to the encoded score {tilde over (S)}_(z) described hereinabove. The circuit comprises an additional output multiplier, numbered r_(N/km+1), necessary for conversion of the circuit into the form of QAP. The m coded sub-scores {tilde over (S)}_(z) noted {tilde over (S)}_(z) ^((out)) in FIGS. 6a to 6c are stored in the storage memory corresponding to the m bus (“Bus Bank”) of the verifiable computation method. Evaluation of function F2, with on input the m values coming from the buses, noted {tilde over (S)}_(z) ^((in)) in FIGS. 6a to 6c , produces the coded score S described hereinabove.

As in the case of the circuit in FIGS. 4a and 4b , a first split gate recovers the terms a_(i) with 1≦i≦k corresponding to the terms of the scalar product u·u′. The summation of these terms produces the score S which is then compared to the predetermined threshold T.

According to a variant not represented, function F1 can comprise decoding of the coded sub-score {tilde over (S)}_(z) obtained during its evaluation into a sub-score S_(z). Such decoding can be done similarly to the decoding of the coded score {tilde over (S)} presented hereinabove. Function F2 comprises only the summation of the sub-scores S_(z) to obtain the score S corresponding to the scalar product u·u′, according to the formula:

$\begin{matrix} {{\sum\limits_{z = 1}^{m}S_{z}} = {\sum\limits_{z = 1}^{m}\left( {\sum\limits_{j = 1}^{N/{km}}\left( {\sum\limits_{i = 1}^{k}{u_{{{({z - 1})} \cdot {({N/m})}} + {{({j - 1})} \cdot k} + i} \cdot u_{{{({z - 1})} \cdot {({N/m})}} + {{({j - 1})} \cdot k} + i}^{\prime}}} \right)} \right)}} \\ {= {\sum\limits_{z = 1}^{N}{u_{z} \cdot u_{z}^{\prime}}}} \\ {= {\langle{u,u^{\prime}}\rangle}} \\ {= S} \end{matrix}\quad$

In a third mode of operation in which the divider m is greater than or equal to 4, it is possible to decompose function F into a function F₁ and a function F₂, alternatively use and m times the total, which each take on input two vectors of size N/km and a sub-score, and on output return an updated sub-score defined as the sum of the sub-score given on input with the result of the scalar product of the vectors provided on input; and a function F₃ which decodes a coded score {tilde over (S)} into a score S.

As represented in FIGS. 7a and 7b , the circuit comprises at least one first computation sub-circuit of scalar product comprising N/km first multiplication operators connected to the input wires of the circuit, for evaluation of function F1 for z odd, and a first storage memory, and a second computation sub-circuit of scalar product comprising N/km second multiplication operators connected to the input wires of the circuit, for evaluation of function F2 for z even, and a second storage memory, each of said sub-circuit being also connected to an output of the storage memory of the other sub-circuit, and evaluation of the circuit iteratively comprises computation of each of the m scalar products by using alternatively the first or the second sub-circuit to compute the sum of the scalar product of the values of the input wires of this sub-circuit and of the value stored in the storage memory of the other sub-circuit.

With F₁, F₂ and F₃ defined as such, evaluation of the function F then corresponds to m applications alternatively of function F₁ and function F₂ followed by application of function F₃.

The circuit represented in FIGS. 7a and 7b comprises two sets of N/km input multipliers. During the iteration z of the function F1 or F2, the N/km multipliers of the relevant sub-circuit each take on input,

$E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}(u)$ and $E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}\left( u^{\prime} \right)$

with 1≦j≦N/km. In FIGS. 7a and 7b these multipliers are noted r_(j) with respectively 1≦j≦N/km and N/km+2≦j≦2 N/km+1. The input wires are numbered respectively from 1 to 2 N/km and from 3 N/km+3 to 5 N/km+2.

The m applications of functions F₁ and F₂ compute the coded sub-scores {tilde over (S)}_(z), for zε{1, . . . , m}:

${\overset{\sim}{S}}_{z} = {\sum\limits_{\zeta = 1}^{z}{\sum\limits_{j = 1}^{{N/k} \cdot m}E_{{u \cdot u^{\prime}},k}^{({{{({\zeta - 1})} \cdot {({N/m})}} + {{({j - 1})} \cdot k} + 1})}}}$

The N/km output wires of the multipliers of a sub-circuit during the iteration z carry the values

$E_{{u \cdot u^{\prime}},k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}$

whereof the sum, added to the coded sub-score of the preceding iteration {tilde over (S)}_(z-1), is equal to the encoded score {tilde over (S)}_(z) described hereinabove. The sub-score {tilde over (S)}₀ can be also initialized at 0 during the first iteration. The coded score {tilde over (S)} is constructed iteratively, each iteration adding to the sub-score coming from the preceding iteration the result of the current scalar sub-product Σ_(j=1) ^(N/k·m)E_(u·u′,k) ^(((z−1)(N/m)+(j−1)·k+1)).

The circuit comprises an additional output multiplier for each sub-circuit, numbered r_(N/km+1), r_(2N/km+2) necessary for conversion of the circuit in the form of QAP. On completion of its evaluation each sub-circuit stores the coded sub-scores {tilde over (S)}_(z) computed in the storage memory corresponding to its bus (Bus Bank) r2 _(N/km+3), r_(2N/km+219) in terms of the verifiable computation method.

On completion of m iterations of functions F1 and F2, the coded score g is thus stored in one of the two storage memories. In the example of FIGS. 7a and 7b , it is supposed that m is odd. The coded score {tilde over (S)} is stored in the first storage memory. During evaluation of the function F3, with the coded score {tilde over (S)} on input a first split gate recovers the terms a_(i) with 1≦i≦k corresponding to the terms of the scalar product u·u′. The summation of these terms produces the score S which is then compared to the predetermined threshold T.

Within the scope of the method described hereinabove the operations to be carried out for generation of the evaluation and verification public keys, and for generation and verification of computation proof can be derived from existing verifiable computation protocols such as Pinocchio, when m=1, and Geppetto, when m>1. The paragraphs hereinbelow describe these operations in more detail as a function of the value of the divider m.

It is to be understood that the embodiment to be described is a particularly advantageous embodiment which is not limiting. The skilled person can use other ways to perform generation of the evaluation and verification public keys, generation and verification of computation proof, and derive said operations from other verifiable existing computation protocols.

Case m=1: In the first mode of operation where m=1, an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) is defined with q a prime number, G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T).

The arithmetic circuit can be represented in the form of a polynomial representation of the circuit Q=(t,V,W,Y) of size ρ and degree δ, with V={vi}, W={wi}, Y={yi}, 0≦i≦ρ.

The following are noted hereinbelow:

I_(io)={1, . . . , θ} the set of indices corresponding to the input/output wires of the circuit,

I_(mid)={θ+1, . . . , ρ} the set of indices of the intermediate wires of the circuit not being input wires of the circuit.

During generation step E3 of a public evaluation key and a public verification key, random variables r_(v), r_(w), s, α_(v), α_(w), α_(y), β, γ are first generated in

_(q).

Then the following coefficients are defined: r_(y)=r_(v)·r_(w), g_(v1)=g₁ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) .

The public evaluation key EK_(F) is then generated as equal to (EK_(F1), EK_(F2)) where

${EK}_{F\; 1} = \begin{pmatrix} {\left\{ g_{v\; 1}^{v_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{w_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{y_{i}{(s)}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{v\; 1}^{\alpha_{v} \cdot {v_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{\alpha_{w} \cdot {w_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{\alpha_{y} \cdot {y_{i}{(s)}}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{1}^{s^{i}} \right\}_{i \in {\lbrack{1,\delta}\rbrack}},\left\{ {g_{v\; 1}^{\beta \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta \cdot {y_{i}{(s)}}}} \right\}_{i \in I_{mid}}} \end{pmatrix}$ EK_(F 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ I_(mid)))

The public verification key VK_(F) is also generated as equal to (VK_(F1), VK_(F2)) where:

VK_(F1)=(g ₁ ,{g _(v1) ^(v) ^(i) ^((s))}_(iε[1,θ]) ,{g _(y1) ^(y) ^(i) ^((s))}_(iε[1,θ]))

VK_(F2)=(g ₂ ,g ₂ ^(α) ^(v) ;g ₂ ^(α) ^(w) ,g ₂ ^(α) ^(y) ,g ₂ ^(β·γ) ,g _(y2) ^(t(s)) ,{g _(w2) ^(w) ^(i) ^((s))}_(iε[1,θ])).

The remote computation device then obtains E4 the arithmetic circuit and the public evaluation key.

For each biometric datum of the entity, at least one matching value between the biometric datum of the entity and at least one reference biometric datum can then be determined E5 by the remote computation device by evaluating the arithmetic circuit received from the biometric data of the entity and the reference biometric data. The set of values of the circuit {c_(i)}_(iε[1,ρ]) can then be obtained.

Generation E6 by the remote computation device, for each determined matching value, of a proof of correction of the computation execution of the matching value, so-called generated proof π=(π₁,π₂) can then comprise:

determination of a polynomial h(x) such that p(x)=h(x)·t(x) with p(x)=(v₀(x)+Σ_(i=1) ^(ρ)c_(i)·v_(i)(x))·(w₀(x)+Σ_(i=1) ^(ρ)c_(i)·w_(i)(x))−(x)+Σ_(i=1) ^(ρ)c_(i)·y_(i)(x)),

computation of:

$\pi_{1} = \begin{pmatrix} {g_{v\; 1}^{v_{mid}{(s)}},g_{w\; 1}^{w_{mid}{(s)}},g_{y\; 1}^{y_{mid}{(s)}},g_{1}^{h{(s)}},} \\ {g_{v\; 1}^{\alpha_{v} \cdot {v_{mid}{(s)}}},g_{w\; 1}^{\alpha_{w} \cdot {w_{mid}{(s)}}},g_{y\; 1}^{\alpha_{y} \cdot {y_{mid}{(s)}}},} \\ {{g_{v\; 1}^{\beta \cdot {v_{mid}{(s)}}} \cdot g_{w\; 1}^{\beta \cdot {w_{mid}{(s)}}} \cdot g_{y\; 1}^{\beta \cdot {y_{mid}{(s)}}}},} \end{pmatrix}$

and π₂=(g_(w2) ^(W) ^(mid) ^((s))) where: v_(mid)(x)=Σ_(iεI) _(mid) c_(i)·v_(i)(x), w_(mid)(x)=Σ_(iεI) _(mid) c_(i)·w_(i)(x) and y_(mid)=Σ_(iεI) _(mid) c_(i)·y_(i)(x). The remote computation device then transmits E7 the matching values and said generated proofs to the client device.

The proofs received by the client device are of the form (π_(r1), π_(r12)) with: π_(r1) in the form of: (g_(v1) ^(V) ^(mid) , g_(w1) ^(W) ^(mid) , g_(y1) ^(Y) ^(mid) , g₁ ^(H), g_(v1) ^(V′) ^(mid) , g_(w1) ^(W′) ^(mid) , g_(y1) ^(Y′) ^(mid) , g₁ ^(Z)) and π_(r2) in the form g_(w2) ^(w) ^(mid) .

The client device then verifies E8 each received proof (π_(r1), π_(r2)) by performing the following equality tests:

-   -   e(g_(v1) ^(v) ^(o) ^((s))·g_(v1) ^(v) ^(io) ^((s))·g_(v1) ^(V)         ^(mid) , g_(w2) ^(w) ^(o) ^((s))·g_(w2) ^(w) ^(io) ^((s))·g_(w2)         ^(W) ^(mid) )=e(g₁ ^(H), g_(y2) ^(t(s)))·e(g_(y1) ^(y) ^(o)         ^((s))·g_(y1) ^(y) ^(io) ^((s))·g_(y1) ^(Y) ^(mid) , g₂),     -   e((g_(v1) ^(V′) ^(mid) )^(d) ¹ ·(g_(w1) ^(W′) ^(mid) )^(d) ²         ·(g_(y1) ^(Y′) ^(mid) )^(d) ³ , g₂)=e((g_(v1) ^(V) ^(mid) )^(d)         ¹ , g₂ ^(α) ^(v) )·e((g_(w1) ^(W) ^(mid) )^(d) ² , g₂ ^(α) ^(w)         )·e((g_(y1) ^(Y) ^(mid) )^(d) ³ , g₂ ^(α) ^(y) ),     -   e((g₁ ^(Z), g₂ ^(γ))=e(g_(v1) ^(V) ^(mid) ·g_(w1) ^(W) ^(mid)         ·g_(y1) ^(Y) ^(mid) , g₂ ^(β·γ))     -   where g_(v1) ^(v) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(v1) ^(v) ^(i)         ^((s)))^(c) ^(i) , g_(w1) ^(w) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(w1)         ^(w) ^(i) ^((s)))^(c) ^(i) , and g_(y1) ^(y) ^(io)         ^((s))=Π_(i=1) ^(θ)(g_(y1) ^(y) ^(i) ^((s)))^(c) ^(i) and (d₁,         d₂, d₃) elements of         _(q) on λ bits with λ a security parameter. In this mode of         operation the verification step of said received proofs         therefore comprises batch verification of pairings.

Case m>1:

Bank B is called a sub-set of indices [1, ρ] (in other words a sub-set of the circuit wires) and an instance of a bank B is a set of values for these indices (for example noted {c_(j)}_(jεB)).

The function F is divided into ω sub-functions F₁, . . . , F_(ω). For example in the case of FIGS. 6 and 7 selection can be made respectively ω=2 and ω=3 as described hereinabove.

σ=((f_(l), (T_(l1), . . . , T_(ll))))_(lε[1,L]) is defined as a scheduling of length L with f_(l)ε{1, . . . , ω} the index of the function to be computed. By way of example, in the case m=2 or m=3 described hereinabove in reference to FIGS. 6a to 6c , L=m+1 and the function F is split into two functions F₁, F₂. The banks used are: (B_(io), B_(L) ₁ , B_(L) ₂ , B_(B) ₁ , . . . , B_(B) _(m) ) where:

-   -   B_(io): banks of input/output type. Number of instances: m+1     -   B_(L) ₁ : bank of local type for F1. Number of instances: m     -   B_(L) ₂ : bank of local type for F2. Number of instances: 1     -   B_(B) ₁ , . . . , B_(B) _(m) : banks of bus type. An instance of         each.         The scheduling of proofs, of length m+1, is:

σ=((1,(1,1,0,1,0, . . . 0)), . . . ,(1,(m,m,0, . . . ,1)),(2,(m+1,0,1, . . . ,1)))

In other words, the scheduling of proofs is:

-   -   For lε{1, . . . , m}: digest of B_(L) ₁ ^((l)), pledging of         B_(B) _(l) , proof with B_(L) ₁ ^((l)), inputs B_(io) ^((l)),         and bus B_(B) _(l) .     -   For l=m+1: digest of B_(L) ₂ , proof with B_(L) ₂ , inputs         B_(io) ^((l)), and all buses B_(B) ₁ , . . . , B_(B) _(m) .         By way of example, in the case m≧4 described hereinabove in         reference to FIGS. 7a and 7b , the function F is split into         three functions F₁, F₂, F₃. The banks used are: (B_(io), B_(L1),         B_(L2), B_(L2), B_(B1), B_(B2)) where:     -   B_(io): banks of input/output type. Number of instances: m+1     -   B_(L) ₁ : bank of local type for F₁. Number of instances: ┌m/2┐     -   B_(L) ₂ : bank of local type for F₂. Number of instances: ┌m/2┐     -   B_(L) ₃ : bank of local type for F₃. Number of instances: 1     -   B_(B) ₁ , B_(B) ₂ : banks of bus type. ┌m/2┐ instances of the         first ┌m/2┐ instances of the second.         The scheduling of proofs, of length m+1, is:

σ=(σ₁,σ₂, . . . σ_(m),σ_(m+1))

where:

-   -   For l ε{1, . . . , m}:         -   If l odd: digest of B_(L) ₁ ^((┌l/2┐)), pledging of B_(B) ₁             , proof with B_(L) ₁ ^((┌l/2┐)), inputs B_(io) ^((l)), and             bus B_(B) ₁ .

σ_(l)=(1,(l,┌l/2┐,0,0,┌l/2┐,┌l/2┐−1))

-   -   -   If l even: digest of B_(L) ₂ ^((┌l/2┐)), pledging of B_(B) ₂             , proof with B_(L) ₂ ^((┌l/2┐)), inputs B_(io) ^((l)), and             bus B_(B) ₂ . . .

σ_(l)=(2,(l,0,┌l/2┐,0,┌l/2┐−1,┌l/2┐))

-   -   For l=m+1: digest of B_(L) ₃ , proof with B_(L) ₃ , inputs         B_(io) ^((l)), and the bus bank B_(B) ₁ (if m is odd) or B_(B) ₂         (if not).

σ_(l)=(3,(m+1,0,0,1,┌l−½┐,0)) or σ_(l)=(3,+1,0,0,1,0,┌l−½┐)).

For a number x the notation ┌x/2┐ (respectively └x/2┘) designates the natural integer greater than or equal (respectively less then or equal) to the rational value x/2. For more information on the use of banks and such scheduling, the paragraphs hereinbelow can be viewed in the light of the publication referenced hereinabove describing the Geppetto protocol from which the protocol presented hereinbelow is derived.

In these second and third modes of operation, an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) is defined with q a prime number, G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T).

The arithmetic circuit can be represented in the form of a multi-QAP Q=({B_(b)}_(bε[1,l]), t, V, W, Y) of size ρ and degree δ, with {B_(b)}_(bε[1,l]) a set of l banks B_(b) of Q used in computing the function F, and V={vi}, W={wi}, Y={yi} with 0≦i≦ρ.

During the generation step E3 by the client device of a public evaluation key and a public verification key, random variables s,{(α_(bv), α_(bw), α_(by), β_(b), γ_(b))}_(bε[1,l]), r_(v), r_(w) are generated in

_(q).

Next, the following coefficients are defined: r_(y)=r_(v)·r_(w), g_(v1)=g₁ ^(r) ^(v) , g_(v2)=g₂ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) .

The public evaluation key EK_(F) is generated as equal to:

({EK_(Fb)}_(bε[1,l]) ,{g ₁ ^(s) ^(i) }_(iε[1,δ]) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)) ,g _(v2) ^(t(s)) ,g _(w2) ^(t(s)) ,g _(y2) ^(t(s)))

Each public bank key EK_(Fb) is equal to (EK_(Fb1), EK_(Fb2)) and generated by computing:

${EK}_{{Fb}\; 1} = \begin{pmatrix} {\begin{Bmatrix} {g_{v\; 1}^{v_{i}{(s)}},g_{w\; 1}^{w_{i}{(s)}},g_{y\; 1}^{y_{i}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v_{i}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w_{i}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y_{i}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y_{i}{(s)}}}} \end{Bmatrix}_{i \in B_{b}},} \\ {g_{v\; 1}^{\alpha_{bv} \cdot {t{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {t{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {t{(s)}}},g_{v\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{w\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{y\; 1}^{\beta_{b} \cdot {t{(s)}}}} \end{pmatrix}$      EK_(Fb 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ B_(b)), g_(w 2)^(α_(bw) ⋅ t(s))).

The public verification key VK_(F) is also generated as equal to: ({VK_(Fb)}_(bε[1,l]), g₁, g₂, g_(y2) ^(t(s))) Each public bank key VK_(Fb) is equal to (g₂ ^(α) ^(bv) , g₂ ^(α) ^(bw) , g₂ ^(α) ^(by) , g₂ ^(γ) ^(b) , g₂ ^(β) ^(b) ^(·γ) ^(b) ).

The remote computation device obtains E4 the arithmetic circuit and the public evaluation key.

For each biometric datum of the entity, at least one matching value between said biometric datum and at least one reference biometric datum can then be determined E5 by the remote computation device by evaluating the arithmetic circuit received from the biometric data of the entity and the reference biometric data. The remote computation device evaluates each sub-function F_(ω) from the biometric data of the entity and the reference biometric data for obtaining the matching value and the values of the circuit.

Generation E6 by the remote computation device, for each determined matching value, of a proof of correction of the computation execution of the matching value can comprise for each l={1, . . . , L} a list of digests and proofs obtained as described hereinbelow.

Let Λ⊂[1,l] be the set of indices bε[1,l] such that T_(lb)≠0 in the scheduling σ=((f_(l), (T_(l1), . . . , T_(ll))))_(lε[1,L]).

Hereinbelow the following: Γ=U_(bΣΛ)B_(b), {c_(j)}_(jεB) _(b) an instance of the bank B_(b) and Δ={c_(i)}_(iεΓ) the set of values of Γ.

For each bank B_(b) such as bεΛ,

the remote computation device generates pledging random variables o_(b)=(o_(bv), o_(bw), o_(by)) in

_(q).

it then computes the digest D_(b) equal to (D_(b1), D_(b2)) from the instance of the bank of variables B_(b): B_(b) ^((T) ^(lb) ⁾={c_(i)εΔ}_(iεB) _(b) and pledging random variables o_(b). Such digests are such that:

-   -   if the bank B_(b) is an input/output bank: D_(b1)=(g_(v1) ^(v)         ^((b)) ^((s)), g_(y1) ^(y) ^((b)) ^((s))) and D_(b2)=(g_(w1)         ^(w) ^((b)) ^((s))),         -   if the bank B_(b) is not an input/output bank:

$D_{b\; 1} = \begin{pmatrix} {g_{v\; 1}^{v^{(b)}{(s)}},g_{w\; 1}^{w^{(b)}{(s)}},g_{y\; 1}^{y^{(b)}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v^{(b)}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w^{(b)}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y^{(b)}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v^{(b)}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w^{(b)}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y^{(b)}{(s)}}}} \end{pmatrix}$ D_(b 2) = (g_(w 2)^(w^((b))(s)))

-   -   -   with:

v ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·v _(i)(s)+o _(bv) ·t(s),

w ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·w _(i)(s)+o _(bw) ·t(s),

y ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·y _(i)(s)+o _(by) ·t(s),

The remote computation device then determines a polynomial h^((l))(x) such that p^((l))(x)=h^((l))(x)·t(x) with p^((l))(x)=(v₀(x)+Σ_(iεΓ)c_(i)·v_(j)(x)+Σ_(bεΛ)o_(bv)·t(x))·(w₀(x)+Σ_(iεΓ)c_(i)·w_(j)(x)+Σ_(bεΛ)o_(bw)·t(x))−(y₀(x)+Σ_(iεΓ)c_(i)·y_(j)(x)+E_(bεΛ)o_(by)·t(x)) Finally, it computes a proof element π^((l)) equal to g₁ ^(h) ^((l)) ^((s)).

The remote computation device then transmits E7 the matching values and said generated proofs comprising the list of computed digests and proof elements to the client device.

The proofs received by the client device are of the form of: D₁ ⁽¹⁾, . . . , D_(l) ⁽¹⁾, π⁽¹⁾, . . . , D₁ ^((L)), . . . , D_(l) ^((L)), π^((L)) where for all lε{1, . . . , L} and ε{1, . . . ,l}:

D_(b)^((l)) = ((g_(v 1)^(V_(b)^((l))), g_(w 1)^(W_(b)^((l))), g_(y 1)^(Y_(b)^((l))), g_(v 1)^(V_(b)^(′ (l))), g_(w 1)^(W_(b)^(′ (l))), g_(y 1)^(Y_(b)^(′ (l))), g₁^(Z_(b)^((l)))), (g_(w 2)^(W_(b)^((l)))))

and π^((l))=g₁ ^(H) ^((l)) .

Two verification implementation variants of the received proof E8 are specified hereinbelow.

In a first implementation variant, the client device then verifies each received proof by performing:

-   -   verification of L·e digests, for lε{1, . . . , L} and bε{1, . .         . , l} comprising the following equality tests:

e(g_(v 1)^(V_(b)^(′ (l))), g₂^(α_(bv))) = e(g_(v 1)^(V_(b)^((l))), g₂) e(g_(w 1)^(W_(b)^(′(l))), g₂^(α_(bw))) = e(g_(w 1)^(W_(b)^((l))), g₂) e(g_(y 1)^(Y_(b)^(′ (l))), g₂^(α_(by))) = e(g_(y 1)^(Y_(b)^((l))), g₂) e(g₁^(Z_(b)^((l))), g₂^(γ_(b))) = e(g_(v 1)^(V_(b)^((l))) ⋅ g_(w 1)^(W_(b)^((l))) ⋅ g_(y 1)^(Y_(b)^((l))), g₂^(β_(b) ⋅ γ_(b)))

-   -   verification of L proofs comprising for lε{1, . . . , L} the         following equality test:

${e\left( {{\prod\limits_{b = 1}^{}\left( g_{v\; 1}^{V_{b}^{(l)}} \right)},{\prod\limits_{b = 1}^{}\; \left( g_{w\; 2}^{W_{b}^{(l)}} \right)}} \right)} = {{e\left( {g_{1}^{H^{(l)}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{b = 1}^{}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)},g_{2}} \right)}}$

In a second implementation variant, the client device then verifies each received proof by executing batch verification comprising, given a correction parameter λ:

-   -   selection of a random vector (d₁, . . . , d_(3·l)) of elements         of size λ,     -   batch verification of the L·l digests, in l times by executing         the following equality tests, for bε{1, . . . , l}:

${{e\left( {{\prod\limits_{i = 1}^{L}\; \left( g_{v\; 1}^{V_{b}^{\prime {(l)}}} \right)^{d_{l}}},g_{2}^{\alpha_{bv}}} \right)} \cdot {e\left( {{\prod\limits_{i = 1}^{L}\left( g_{w\; 1}^{W_{b}^{\prime {(l)}}} \right)^{d_{L + l}}},g_{2}^{\alpha_{bw}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\; \left( g_{y\; 1}^{Y_{b}^{\prime {(l)}}} \right)^{{d_{2} \cdot L} + l}},g_{2}^{\alpha_{by}}} \right)}} = {e\left( {{\prod\limits_{i = 1}^{L}\; {\left( g_{v\; 1}^{V_{b}^{(l)}} \right)^{d_{l}} \cdot {\prod\limits_{l = 1}^{L}\; {\left( g_{w\; 1}^{W_{b}^{(l)}} \right)^{d_{L + l}} \cdot {\prod\limits_{l = 1}^{L}\; \left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{{2 \cdot L} + l}}}}}}},g_{2}} \right)}$ $\mspace{79mu} {{e\left( {{\prod\limits_{l = 1}^{L}\; \left( g_{1}^{Z_{b}^{(l)}} \right)^{d_{l}}},g_{e}^{\gamma_{b}}} \right)} = {e\left( {{\prod\limits_{l = 1}^{L}\; \left( {g_{v\; 1}^{V_{b}^{(l)}} \cdot g_{w\; 1}^{W_{b}^{(l)}} \cdot g_{y\; 1}^{Y_{b}^{(l)}}} \right)^{d_{l}}},g_{2}^{\beta_{b} \cdot \gamma_{b}}} \right)}}$

-   -   batch verification the L proofs by executing the following         equality test:

${{\prod\limits_{l = 1}^{L}{e\left( {{\prod\limits_{b = 1}^{}\left( g_{v\; 1}^{V_{b}^{(l)}} \right)^{d_{l}}},{\prod\limits_{\; {b = 1}}^{}\left( g_{w\; 2}^{W_{b}^{(l)}} \right)}} \right)}} = {{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{1}^{H^{(l)}} \right)^{d_{l}}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}{\prod\limits_{b = 1}^{}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{l}}}},g_{2}} \right)}}},$

-   -   and as a verification option of the belonging of elements on         which the pairings is applied to their respective groups.

The method performed carries out biometric identification by comparing biometric data in terms of the scope of a publicly verifiable computation protocol and minimizing the time necessary for production and verification of proofs relative to proper execution of this computation, by way of minimization of the number of multipliers employed to represent this computation in the form of an arithmetic circuit. 

1. A biometric identification method of an entity, by a biometric identification system comprising a client device and a remote computation device, comprising: computation of at least one matching value between at least one biometric datum of the entity u and at least one reference biometric datum u′, by application of a function F to said biometric data, each of said data being a vector of N binary integers u_(i) or u′_(i) with 1≦i≦N, each integer being coded on n bits, said function comprising a scalar product between a biometric datum of the entity and a reference biometric datum, said computation performing a non-interactive, publicly verifiable computation method comprising steps of: representation of said function in the form of an arithmetic circuit comprising wires transporting values of the finite prime field

_(q), with q a prime number, and connecting addition and multiplication operators, conversion of said arithmetic circuit into a polynomial representation, QAP (Quadratic Arithmetic Program) or multi-QAP, generation of a public evaluation key and of a public verification key as a function of said polynomial representation, obtaining by the remote computation device of the arithmetic circuit and of the public evaluation key, for each biometric datum of the entity, determination of at least one matching value between said biometric datum and at least one reference biometric datum by the remote computation device by evaluating the arithmetic circuit having as inputs the biometric datum of the entity and the reference biometric datum, for each determined matching value, generation by the remote computation device of a proof of correction of the computation execution of the matching value, so-called generated proof, from said polynomial representation, the public evaluation key and the result of the evaluation of the arithmetic circuit, transmission by the remote computation device of said matching values and of said generated proofs to the client device, verification a said proofs received by the client device by means of the public verification key, identification of the entity by the client device as a function of the matching values and of the result of said verification of proofs, wherein: representation of said function comprises encoding an integer k>1 of binary integers of a vector of a biometric datum on at least one input wire of the circuit, and the function F comprising at least m scalar products, m being a divider of the length N of the biometric data vectors, if the divider m is equal to 2 or 3, the circuit comprises at least N/km multiplication operators connected to the input wires of the circuit, a storage memory, and at least one addition operator, and evaluation of the circuit iteratively comprises computation of each of the m scalar products by means of said N/km multiplication operators, storage of m results of computations of said scalar products in said storage memory and summation of said results by means of said addition operator, if the divider m is greater than or equal to 4, the circuit comprises at least one first computation sub-circuit of scalar product comprising N/km first multiplication operators connected to the input wires of the circuit and a first storage memory, and a second computation sub-circuit of scalar product comprising N/km second multiplication operators connected to the input wires of the circuit and a second storage memory, each of said sub-circuit being also connected to an output of the storage memory of the other sub-circuit, and evaluation of the circuit iteratively comprises computation of each of the m scalar products by using alternatively the first or the second sub-circuit to compute the sum of the scalar product of the values of the input wires of this sub-circuit and of the value stored in the storage memory of the other sub-circuit.
 2. The identification method according to claim 1, wherein the verification step of said received proofs comprises batch verification of pairings.
 3. The identification method according to claim 1, wherein: if the divider m of the length N of the biometric data vectors is equal to 1, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g_(i), g₂, e) where q is a prime number G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T) and the arithmetic circuit being represented in the form of a QAP of the circuit Q=(t, V, W, Y) of size ρ and degree δ, with V={vi}, W={wi}, Y={yi}, 0≦i≦ρ, and given I_(io)={1, . . . , θ} the set of indices corresponding to the input/output wires of the circuit and I_(mid)={θ+1, . . . ρ} the set of indices of the intermediate wires of the circuit not being input wires of the circuit, the generation step of a public evaluation key and of a public verification key comprises: generation of random variables r_(v), r_(W), s, α_(y), α_(w), α_(y), β, γ in

_(q), definition of coefficients r_(y)=r_(v)·r_(w), g_(v1)=g₁ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) , generation of the public evaluation key EK_(F) equal to (EK_(F1), EK_(F2)) where ${EK}_{F\; 1} = \begin{pmatrix} {\left\{ g_{v\; 1}^{v_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{w_{i}{(s)}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{y_{i}{(s)}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{v\; 1}^{\alpha_{v} \cdot {v_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{w\; 1}^{\alpha_{w} \cdot {w_{i}{(s)}}} \right\}_{i \in I_{mid}},\left\{ g_{y\; 1}^{\alpha_{y} \cdot {y_{i}{(s)}}} \right\}_{i \in I_{mid}},} \\ {\left\{ g_{1}^{s^{i}} \right\}_{i \in {\lbrack{1,\delta}\rbrack}},\left\{ {g_{v\; 1}^{\beta \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta \cdot {y_{i}{(s)}}}} \right\}_{i \in I_{mid}}} \end{pmatrix}$ EK_(F 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ I_(mid))) generation of the public verification key VK_(F) equal to (VK_(F1), VK_(F2)) where: VK_(F1)=(g ₁ ,{g _(v1) ^(v) ^(i) ^((s))}_(iε[1,θ]) ,{g _(y1) ^(y) ^(i) ^((s))}_(iε[1,θ])) VK_(F2)=(g ₂ ,g ₂ ^(α) ^(v) ;g ₂ ^(α) ^(w) ,g ₂ ^(α) ^(y) ,g ₂ ^(β·γ) ,g _(y2) ^(t(s)) ,{g _(w2) ^(w) ^(i) ^((s))}_(iε[1,θ])). generation by the remote computation device of a proof of correction of the computation execution of a matching value comprises, {c_(i)}_(iε[1,ρ]) being the set of values of the circuit determined during the determination step of the matching value: determination of a polynomial h(x) such that p(x)=h(x)·t(x) with p(x)=(v₀(x)+Σ_(i=1) ^(ρ)c_(i)·v_(i)(x))·(w₀(x)+Σ_(i=1) ^(ρ)c_(i)·w_(i)(x))−(y₀(x)+Σ_(i=1) ^(ρ)c_(i)·y_(i)(x)), computation of the generated proof π=(π₁, π₂) with: ${\pi_{1} = \begin{pmatrix} {g_{v\; 1}^{v_{mid}{(s)}},g_{w\; 1}^{w_{mid}{(s)}},g_{y\; 1}^{y_{mid}{(s)}},g_{1}^{h{(s)}},} \\ {g_{v\; 1}^{\alpha_{v} \cdot {v_{mid}{(s)}}},g_{w\; 1}^{\alpha_{w} \cdot {w_{mid}{(s)}}},g_{y\; 1}^{\alpha_{y} \cdot {y_{mid}{(s)}}},} \\ {g_{v\; 1}^{\beta \cdot {v_{mid}{(s)}}} \cdot g_{w\; 1}^{\beta \cdot {w_{mid}{(s)}}} \cdot g_{y\; 1}^{\beta \cdot {y_{mid}{(s)}}}} \end{pmatrix}},{\pi_{2} = \left( g_{w\; 2}^{w_{mid}{(s)}} \right)}$ where: v_(mid)(x)=Σ_(iεI) _(mid) c_(i)·v_(i)(x), w_(mid)(x)=Σ_(iεI) _(mid) c_(i)·w₁(x) and y_(mid)(x)=Σ_(iεI) _(mid) c_(i)′y_(i)(x), and, wherein said proofs received by the client device being equal to (π_(r1), π_(r2)) with π_(r1) in the form of: (g_(v1) ^(V) ^(mid) , g_(w1) ^(W) ^(mid) , g_(y1) ^(Y) ^(mid) , g₁ ^(H), g_(v1) ^(V′) ^(mid) , g_(w1) ^(W) ^(mid) , g_(y1) ^(Y′) ^(mid) , g₁ ^(Z)) and π_(r2) in the form g_(w2) ^(W) ^(mid) , the verification of a received proof comprises performing the following equality tests: e(g_(v1) ^(v) ^(o) ^((s))·g_(v1) ^(v) ^(io) ^((s))·g_(v1) ^(V) ^(mid) , g_(w2) ^(w) ^(o) ^((s))·g_(w2) ^(w) ^(io) ^((s))·g_(w2) ^(W) ^(mid) )=e(g₁ ^(H), g_(y2) ^(t(s)))·e(g_(y1) ^(y) ^(o) ^((s))·g_(y1) ^(y) ^(io) ^((s))·g_(y1) ^(Y) ^(mid) , g₂), e((g_(v1) ^(V′) ^(mid) )^(d) ¹ ·(g_(w1) ^(W′) ^(mid) )^(d) ² ·(g_(y1) ^(Y′) ^(mid) )^(d) ³ , g₂)=e((g_(v1) ^(V) ^(mid) )^(d) ¹ , g₂ ^(α) ^(v) )·e((g_(w1) ^(W) ^(mid) )^(d) ² , g₂ ^(α) ^(w) )·e((g_(y1) ^(Y) ^(mid) )^(d) ³ , g₂ ^(α) ^(y) ), e((g₁ ^(Z), g₂ ^(γ))=e(g_(v1) ^(V) ^(mid) ·g_(w1) ^(W) ^(mid) ·g_(y1) ^(Y) ^(mid) , g₂ ^(β·γ)) where g_(v1) ^(v) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(v1) ^(v) ^(i) ^((s)))^(c) ^(i) , g_(w1) ^(w) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(w1) ^(w) ^(i) ^((s)))^(c) ^(i) , and g_(y1) ^(y) ^(io) ^((s))=Π_(i=1) ^(θ)(g_(y1) ^(y) ^(i) ^((s)))^(c) ^(i) and (d₁, d₂, d₃) elements of

_(q) on λ bits with λ a security parameter.
 4. The identification method according to claim 1 wherein: if the divider m of the length N of the biometric data vectors is greater than or equal to 2, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) where q is a prime number G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T), the arithmetic circuit being represented in the form of a multi-QAP Q=({B_(b)}_(bε[1,l]),t,V,W,Y) of size ρ and degree δ, with {B_(b)}_(bε[1,l]) a set of l banks B_(b) of Q used in the computation of the function F, and V={vi}, W={wi}, Y={yi} with 0≦i≦ρ, the generation step of a public evaluation key and of a public verification key comprises: generation of random variables s,{(α_(bv), α_(bw), α_(by), β_(b), γ_(b))}_(bε[1,l]), r_(v), r_(w) in

_(q), definition of the following coefficients: r_(y)=r_(v)·r_(w), g_(v1)=g₁ ^(r) ^(v) , g_(v2)=g₂ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) , generation of the public evaluation key EK_(F) equal to: ({EK_(Fb)}_(bε[1,l]) ,{g ₁ ^(s) ^(i) }_(iε[1,δ]) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s))) where each public bank key EK_(Fb) is equal to (EK_(Fb1), EK_(Fb2)) with: ${EK}_{{Fb}\; 1} = \begin{pmatrix} {\begin{Bmatrix} {g_{v\; 1}^{v_{i}{(s)}},g_{w\; 1}^{w_{i}{(s)}},g_{y\; 1}^{y_{i}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v_{i}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w_{i}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y_{i}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y_{i}{(s)}}}} \end{Bmatrix}_{i \in B_{b}},} \\ {g_{v\; 1}^{\alpha_{bv} \cdot {t{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {t{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {t{(s)}}},g_{v\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{w\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{y\; 1}^{\beta_{b} \cdot {t{(s)}}}} \end{pmatrix}$ EK_(Fb2)=({g_(w2) ^(w) ^(i) ^((s))}_(iεb) ₂ , g_(w2) ^(α) ^(bw) ^(·t(s))) generation of the public verification key VK_(F) equal to: ({VK_(Fb)}_(bε[1,l]), g₁, g₂, g_(y2) ^(t(s))) where each public bank key VK_(Fb) is equal to (g₂ ^(α) ^(bv) , g₂ ^(α) ^(bw) , g₂ ^(α) ^(by) , g₂ ^(γ) ^(b) , g₂ ^(β) ^(b) ^(·γ) ^(b) ), determination of a matching value comprises, the function F being divided into ω sub-functions F₁, . . . , F_(ω) and σ=((f_(l), (T_(l1), . . . T_(ll))))_(lε[1,L]) being a scheduling of length L with f_(l)ε{1, . . . , ω}, evaluation of each sub-function F_(ω) from the biometric data of the entity and the reference biometric data and determination of values of the circuit, generation by the remote computation device of proof of correction of the computation execution of a matching value comprises, for each l={1, . . . , L}: for each bank B_(b) such that bεΛ, with Λ⊂[1,l] the set of indices bε[1,l] such that T_(lb)≠0, Γ=∪_(bεΛ)B_(b), {c_(j)}_(jεB) _(b) an instance of the bank B_(b), Δ={c_(i)}_(iεΓ) the set of values of Γ: generation of pledging random variables in

_(q): o_(b)=(o_(bv), o_(bw), o_(by)), computation of a digest D_(b) equal to (D_(b1), D_(b2)) from the instance of the bank of variables B_(b): B_(b) ^((T) ^(lb) ⁾={c_(i)εΔ}_(iεB) _(b) and pledging random variables o_(b) and such that: if the bank B_(b) is an input/output bank: D_(b1)=(g_(v1) ^(v) ^((b)) ^((s)), g_(y1) ^(v) ^((b)) ^((s))) and D_(b2)=(g_(w2) ^(w) ^((b)) ^((s))), if the bank B_(b) is not an input/output bank: $D_{b\; 1} = \begin{pmatrix} {g_{v\; 1}^{v^{(b)}{(s)}},g_{w\; 1}^{w^{(b)}{(s)}},g_{y\; 1}^{y^{(b)}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v^{(b)}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w^{(b)}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y^{(b)}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v^{(b)}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w^{(b)}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y^{(b)}{(s)}}}} \end{pmatrix}$ D_(b 2) = (g_(w 2)^(w^((b))(s))) with: v ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·v _(i)(s)+o _(bv) ·t(s), w ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·w _(i)(s)+o _(bw) ·t(s), y ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·y _(i)(s)+o _(by) ·t(s), determination of a polynomial h^((l))(x) such that p^((l))(x)=h^((l))(x)·t(x) with p^((l))(x)=(v₀(x)+Σ_(iεΓ)c_(i)·v_(j)(x)+Σ_(bεΛ)o_(bv)·t(x))·(w₀(x)+Σ_(iεΓ)c_(i)·w_(j)(x)+Σ_(bεΛ)o_(bw)·t(x))−(y₀(x)+Σ_(iεΓ)c_(i)·y_(j)(x)+E_(bεΛ)o_(by)·t(x)) computation of a proof element π^((l)) equal to g₁ ^(h) ^((l)) ^((s)), and, wherein said proofs received by the client device being of the form D₁ ⁽¹⁾, . . . , D_(l) ⁽¹⁾, π⁽¹⁾, . . . , D₁ ^((L)), . . . , D_(l) ^((L)), π^((L)) where for all lε{1, . . . , L} and bε{1, . . . , l}: D_(b)^((l)) = ((g_(v 1)^(V_(b)^((l))), g_(w 1)^(W_(b)^((l))), g_(y 1)^(Y_(b)^((l))), g_(v 1)^(V_(b)^(′ (l))), g_(w 1)^(W_(b)^(′ (l))), g_(y 1)^(Y_(b)^(′ (l))), g₁^(Z_(b)^((l)))), (g_(w 2)^(W_(b)^((l))))) and π^((l))=g₁ ^(H) ^((l)) , verification of a received proof comprises: verification of L·l digests, for lε{1, . . . , L} and bε{1, . . . , l} comprising performing the following equality tests: e(g_(v 1)^(V_(b)^(′ (l))), g₂^(α_(bv))) = e(g_(v 1)^(V_(b)^((l))), g₂) e(g_(w 1)^(W_(b)^(′(l))), g₂^(α_(bw))) = e(g_(w 1)^(W_(b)^((l))), g₂) e(g_(y 1)^(Y_(b)^(′ (l))), g₂^(α_(by))) = e(g_(y 1)^(Y_(b)^((l))), g₂) e(g₁^(Z_(b)^((l))), g₂^(γ_(b))) = e(g_(v 1)^(V_(b)^((l))) ⋅ g_(w 1)^(W_(b)^((l))) ⋅ g_(y 1)^(Y_(b)^((l))), g₂^(β_(b) ⋅ γ_(b))) verification of L proofs comprising for lε{1, . . . , L} performing the following equality test: ${e\left( {{\prod\limits_{b = 1}^{}\left( g_{v\; 1}^{V_{b}^{(l)}} \right)},{\prod\limits_{b = 1}^{}\; \left( g_{w\; 2}^{W_{b}^{(l)}} \right)}} \right)} = {{e\left( {g_{1}^{H^{(l)}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{b = 1}^{}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)},g_{2}} \right)}}$
 5. The identification method according to claim 1 wherein: if the divider m of the length N of the biometric data vectors is greater than or equal to 2, given an asymmetric bilinear environment (q, G₁, G₂, G_(T), g₁, g₂, e) where q is a prime number G₁, G₂ and G_(T) three groups of order q, g₁ a generator of G₁, g₂ a generator of G₂, and e a non-degenerate bilinear pairing e: G₁×G₂→G_(T), the arithmetic circuit being represented in the form of a multi-QAP Q=({B_(b)}_(bε[1,l]), t,V,W,Y) of size ρ and degree δ, with {B_(b)}_(bε[1,l]) a set of l banks B_(b) of Q used in computation of the function F, and V={vi}, W={wi}, Y={yi} with 0≦i≦ρ, the generation step of a public evaluation key and a public verification key comprises: generation of random variables s, {(α_(bv), α_(bw), α_(by), β_(b), γ_(b))}_(bε[1,l]), r_(v), r_(w) in

_(q), definition of the following coefficients: r_(y)=r_(v)r·_(w), g_(v1)=g₁ ^(r) ^(v) , g_(v2)=g₂ ^(r) ^(v) , g_(w1)=g₁ ^(r) ^(w) , g_(w2)=g₂ ^(r) ^(w) , g_(y1)=g₁ ^(r) ^(y) and g_(y2)=g₂ ^(r) ^(y) , generation of the public evaluation key EK_(F) equal to: ({EK_(Fb)}_(bε[1,l]) ,{g ₁ ^(s) ^(i) }_(iε[1,δ]) ,g _(v1) ^(t(s)) ,g _(w1) ^(t(s)) ,g _(y1) ^(t(s)) ,g _(v2) ^(t(s)) ,g _(w2) ^(t(s)) ,g _(y2) ^(t(s))) where each public bank key EK_(Fb) is equal to (EK_(Fb1), EK_(Fb2)) with: ${EK}_{{Fb}\; 1} = \begin{pmatrix} {\begin{Bmatrix} {g_{v\; 1}^{v_{i}{(s)}},g_{w\; 1}^{w_{i}{(s)}},g_{y\; 1}^{y_{i}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v_{i}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w_{i}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y_{i}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v_{i}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w_{i}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y_{i}{(s)}}}} \end{Bmatrix}_{i \in B_{b}},} \\ {g_{v\; 1}^{\alpha_{bv} \cdot {t{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {t{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {t{(s)}}},g_{v\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{w\; 1}^{\beta_{b} \cdot {t{(s)}}},g_{y\; 1}^{\beta_{b} \cdot {t{(s)}}}} \end{pmatrix}$      EK_(Fb 2) = ({g_(w 2)^(w_(i)(s))}_(i ∈ B_(b)), g_(w 2)^(α_(bw) ⋅ t(s))) generation of the public verification key VK_(F) equal to: ({VK_(Fb)}_(bε[1,l]), g₁, g₂, g_(y2) ^(t(s))) where each public bank key VK_(Fb) is equal to (g₂ ^(α) ^(bv) , g₂ ^(α) ^(bw) , g₂ ^(α) ^(by) , g₂ ^(γ) ^(b) , g₂ ^(β) ^(b) ^(·γ) ^(b) ), determination of a matching value comprises, function F being divided into ω sub-functions F₁, . . . , F_(ω) and σ=((f_(l), (T_(l1), . . . , T_(ll))))_(lε[1,L]) being a scheduling of length L with f_(l)ε{1, . . . , ω}, evaluation of each sub-function F_(ω) from the biometric data of the entity and the reference biometric data and determination of the values of the circuit, generation by the remote computation device of a proof of correction of the computation execution of a matching value comprises, for each l={1, . . . , L}: for each bank B_(b) such that bεΛ, with Λ⊂[1, l] the set of indices bε[1,l] such that T_(lb)≠0, Γ=∪_(bεΛ)B_(b), {c_(j)}_(jεB) _(b) an instance of the bank B_(b), Δ={c_(i)}_(iεΓ) the set of values of Γ: generation of pledging random variables in

_(q): o_(b)=(o_(bv), o_(bw), o_(by)), computation of a digest D_(b) equal to (D_(b1), D_(b2)) from the instance of the bank of variables B_(b): B_(b) ^((T) ^(lb) ⁾={c_(i)εΔ}_(iεB) _(b) and the pledging random variables o_(b) and such that: if the bank B_(b) is an input/output bank: D_(b1)=(g_(v1) ^(v) ^((b)) ^((s)), g_(y1) ^(y) ^((b)) ^((s))) and D_(b2)=(g_(w2) ^(w) ^((b)) ^((s))), if the bank B_(b) is not an input/output bank: $D_{b\; 1} = \begin{pmatrix} {g_{v\; 1}^{v^{(b)}{(s)}},g_{w\; 1}^{w^{(b)}{(s)}},g_{y\; 1}^{y^{(b)}{(s)}},g_{v\; 1}^{\alpha_{bv} \cdot {v^{(b)}{(s)}}},g_{w\; 1}^{\alpha_{bw} \cdot {w^{(b)}{(s)}}},g_{y\; 1}^{\alpha_{by} \cdot {y^{(b)}{(s)}}},} \\ {g_{v\; 1}^{\beta_{b} \cdot {v^{(b)}{(s)}}} \cdot g_{w\; 1}^{\beta_{b} \cdot {w^{(b)}{(s)}}} \cdot g_{y\; 1}^{\beta_{b} \cdot {y^{(b)}{(s)}}}} \end{pmatrix}$ D_(b 2) = (g_(w 2)^(w^((b))(s))) with: v ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·v _(i)(s)+o _(bv) ·t(s), w ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·w _(i)(s)+o _(bw) ·t(s), y ^((b))(s)=Σ_(iΣB) _(b) c _(i) ·y _(i)(s)+o _(by) ·t(s), determination of a polynomial h^((l))(x) such that p^((l))(x)=h^((l))(x)·t(x) with p^((l))(x)=(v₀(x)+Σ_(iεΓ)c_(i)·v_(j)(x)+Σ_(bεΛ)o_(bv)·t(x))·(w₀(x)+Σ_(iεΓ)c_(i)·w_(j)(x)+Σ_(bεΛ)o_(bw)·t(x))−(y₀(x)+Σ_(iεΓ)c_(i)·y_(j)(x)+E_(bεΛ)o_(by)·t(x)) computation of a proof element π^((l)) equal to g₁ ^(h) ^((l)) ^((s)), and, wherein said proofs received by the client device being of the form D₁ ⁽¹⁾, . . . , D_(l) ⁽¹⁾, π⁽¹⁾, . . . , D₁ ^((L)), . . . , D_(l) ^((L)), π^((L)) where for all lε{1, . . . , L} and bε{1, . . . ,l}: D_(b)^((l)) = ((g_(v 1)^(V_(b)^((l))), g_(w 1)^(W_(b)^((l))), g_(y 1)^(Y_(b)^((l))), g_(v 1)^(V_(b)^(′ (l))), g_(w 1)^(W_(b)^(′ (l))), g_(y 1)^(Y_(b)^(′ (l))), g₁^(Z_(b)^((l)))), (g_(w 2)^(W_(b)^((l))))) and π^((l))=g₁ ^(H) ^((l)) , verification of a received proof comprises, given a correction parameter λ: selection of a random vector (d₁, . . . , d_(3·l)) of elements of size λ, batch verification of L·l digests comprising performing l times the following equality tests, for bε{1, . . . , l}: ${{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{v\; 1}^{V_{b}^{\prime \; {(l)}}} \right)^{d_{l}}},g_{2}^{\alpha_{bv}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\left( g_{w\; 1}^{W_{b}^{\prime \; {(l)}}} \right)^{d_{L + l}}},g_{2}^{\alpha_{bw}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}\left( g_{y\; 1}^{Y_{b}^{\prime \; {(l)}}} \right)^{d_{{2 \cdot L} + l}}},g_{2}^{\alpha_{by}}} \right)}} = {e\left( {{\prod\limits_{l = 1}^{L}{\left( g_{v\; 1}^{V_{b}^{(l)}} \right)^{d_{l}} \cdot {\prod\limits_{l = 1}^{L}{\left( g_{w\; 1}^{W_{b}^{(l)}} \right)^{d_{L + 1}} \cdot {\prod\limits_{l = 1}^{L}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{{2 \cdot L} + l}}}}}}},g_{2}} \right)}$ $\mspace{20mu} {{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{1}^{Z_{b}^{(l)}} \right)^{d_{l}}},g_{2}^{\gamma_{b}}} \right)} = {e\left( {{\prod\limits_{l = 1}^{L}\left( {g_{v\; 1}^{V_{b}^{(l)}} \cdot g_{w\; 1}^{W_{b}^{(l)}} \cdot g_{y\; 1}^{Y_{b}^{(l)}}} \right)^{d_{l}}},g_{2}^{\beta_{b} \cdot \gamma_{b}}} \right)}}$ batch verification of L proofs comprising performing the following equality test: ${\prod\limits_{l = 1}^{L}{e\left( {{\prod\limits_{b = 1}^{}\left( g_{v\; 1}^{V_{b}^{(l)}} \right)^{d_{l}}},{\prod\limits_{\; {b = 1}}^{}\left( g_{w\; 2}^{W_{b}^{(l)}} \right)}} \right)}} = {{e\left( {{\prod\limits_{l = 1}^{L}\left( g_{1}^{H^{(l)}} \right)^{d_{l}}},g_{y\; 2}^{t{(s)}}} \right)} \cdot {e\left( {{\prod\limits_{l = 1}^{L}{\prod\limits_{b = 1}^{}\left( g_{y\; 1}^{Y_{b}^{(l)}} \right)^{d_{l}}}},g_{2}} \right)}}$
 6. The identification method according to claim 1, wherein the identification of the entity comprises comparison of the matching values with a predetermined threshold.
 7. The identification method according to claim 1, wherein the function F comprises comparison of the result of the scalar product between said biometric data of the entity and said reference biometric data with a predetermined threshold.
 8. The identification method according to claim 1, wherein the encoding of k binary integers u_(i) or u′_(i) on an input wire of an j^(th) multiplication operator, 1≦j≦N/k, is equal to ${E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}(u)}\mspace{14mu} {or}\mspace{14mu} {E_{k}^{({\frac{{({z - 1})}N}{m} + {{({j - 1})}k} + 1})}\left( u^{\prime} \right)}$ with 1≦z≦m, and is given by the formula: ${E_{k}^{({{{({j - 1})}k} + 1})}(x)} = {{\sum\limits_{i = 1}^{k}{2^{ɛ_{i}} \cdot x_{{{({j - 1})}k} + i}}} = {{2^{ɛ_{1}} \cdot x_{{{({j - 1})}k} + 1}} + \ldots + {2^{ɛ_{k}} \cdot x_{{{({j - 1})}k} + k}}}}$ with ε₁, . . . , ε_(k) predetermined integers.
 9. A computer program product comprising code instructions for execution of a method according to claim 1 when this program is executed by a processor.
 10. A biometric identification system comprising a client device and a remote computation device wherein: said client device and said remote computation device each comprise a processor, an interface and a memory for performing the steps of the identification method according to claim
 1. 